From d4a53a6c7bce28a66ff0dc70def2469692f8444c Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Thu, 26 Mar 2015 11:56:02 +0800
Subject: Bug 1147550: Minimum password length handler not trusted by password
 change

---
 Bugzilla/Auth/Verify/DB.pm | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

(limited to 'Bugzilla/Auth')

diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm
index 2840b4ab8..aaa1b6c87 100644
--- a/Bugzilla/Auth/Verify/DB.pm
+++ b/Bugzilla/Auth/Verify/DB.pm
@@ -74,10 +74,19 @@ sub check_credentials {
                };
     } 
 
-    # Force the user to type a longer password if it's too short.
-    if (length($password) < USER_PASSWORD_MIN_LENGTH) {
-        return { failure => AUTH_ERROR, user_error => 'password_current_too_short',
-                 details => { locked_user => $user } };
+    # Force the user to change their password if it does not meet the current
+    # criteria. This should usually only happen if the criteria has changed.
+    if (Bugzilla->usage_mode == USAGE_MODE_BROWSER &&
+        Bugzilla->params->{password_check_on_login})
+    {
+        my $check = validate_password_check($password);
+        if ($check) {
+            return {
+                failure => AUTH_ERROR,
+                user_error => $check,
+                details => { locked_user => $user }
+            }
+        }
     }
 
     # The user's credentials are okay, so delete any outstanding
-- 
cgit v1.2.3-24-g4f1b