From 59285f71c6ed0d4db7d4b0455902130a2d7c83bd Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sun, 20 Aug 2006 01:11:59 +0000
Subject: Bug 87795: Creating an account should send token and wait for
 confirmation (prevent user account abuse) - Patch by Frédéric Buclin
 <LpSolit@gmail.com> r=mkanat r=bkor a=myk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Bugzilla/User.pm | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

(limited to 'Bugzilla/User.pm')

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 12c680f78..54d84020f 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -1355,9 +1355,8 @@ sub insert_new_user {
                    VALUES (?, ?, NOW(), ?, NOW())',
                    undef, ($user->id, $who, $creation_date_fieldid));
 
-    # Return the password to the calling code so it can be included
-    # in an email sent to the user.
-    return $password;
+    # Return the newly created user account.
+    return $user;
 }
 
 sub is_available_username {
@@ -1377,15 +1376,18 @@ sub is_available_username {
     # was unsafe and required weird escaping; using substring to pull out
     # the new/old email addresses and sql_position() to find the delimiter (':')
     # is cleaner/safer
-    my $sth = $dbh->prepare(
-        "SELECT eventdata FROM tokens WHERE tokentype = 'emailold'
-        AND SUBSTRING(eventdata, 1, (" 
-        . $dbh->sql_position(q{':'}, 'eventdata') . "-  1)) = ?
-        OR SUBSTRING(eventdata, (" 
-        . $dbh->sql_position(q{':'}, 'eventdata') . "+ 1)) = ?");
-    $sth->execute($username, $username);
-
-    if (my ($eventdata) = $sth->fetchrow_array()) {
+    my $eventdata = $dbh->selectrow_array(
+        "SELECT eventdata
+           FROM tokens
+          WHERE (tokentype = 'emailold'
+                AND SUBSTRING(eventdata, 1, (" .
+                    $dbh->sql_position(q{':'}, 'eventdata') . "-  1)) = ?)
+             OR (tokentype = 'emailnew'
+                AND SUBSTRING(eventdata, (" .
+                    $dbh->sql_position(q{':'}, 'eventdata') . "+ 1)) = ?)",
+         undef, ($username, $username));
+
+    if ($eventdata) {
         # Allow thru owner of token
         if($old_username && ($eventdata eq "$old_username:$username")) {
             return 1;
@@ -1459,7 +1461,7 @@ Bugzilla::User - Object for a Bugzilla user
       $user->get_selectable_classifications;
 
   # Class Functions
-  $password = insert_new_user($username, $realname, $password, $disabledtext);
+  $user = insert_new_user($username, $realname, $password, $disabledtext);
 
 =head1 DESCRIPTION
 
@@ -1815,8 +1817,7 @@ Params: $username (scalar, string) - The login name for the new user.
                                           be sent depending on the user's 
                                           email preferences.
 
-Returns: The password for this user, in plain text, so it can be included
-         in an e-mail sent to the user.
+Returns: The Bugzilla::User object representing the new user account.
 
 =item C<is_available_username>
 
-- 
cgit v1.2.3-24-g4f1b