From b8ecdca238744552db04acb5450ce078d9760a4c Mon Sep 17 00:00:00 2001
From: Simon Green <sgreen@redhat.com>
Date: Thu, 11 Sep 2014 09:45:23 +1000
Subject: Bug 1009013 - Require a user to change their password if they log in
 and their current password does not meet the password complexity rules
 r=glob, a=sgreen

---
 Bugzilla/User.pm | 35 ++++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 9 deletions(-)

(limited to 'Bugzilla/User.pm')

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 58565daf9..acedc65f2 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -32,7 +32,7 @@ use URI::QueryParam;
 
 use parent qw(Bugzilla::Object Exporter);
 @Bugzilla::User::EXPORT = qw(is_available_username
-    login_to_id validate_password
+    login_to_id validate_password validate_password_check
     USER_MATCH_MULTIPLE USER_MATCH_FAILED USER_MATCH_SUCCESS
     MATCH_SKIP_CONFIRM
 );
@@ -2449,29 +2449,35 @@ sub login_to_id {
 }
 
 sub validate_password {
+    my $check = validate_password_check(@_);
+    ThrowUserError($check) if $check;
+    return 1;
+}
+
+sub validate_password_check {
     my ($password, $matchpassword) = @_;
 
     if (length($password) < USER_PASSWORD_MIN_LENGTH) {
-        ThrowUserError('password_too_short');
+        return 'password_too_short';
     } elsif ((defined $matchpassword) && ($password ne $matchpassword)) {
-        ThrowUserError('passwords_dont_match');
+        return 'passwords_dont_match';
     }
-    
+
     my $complexity_level = Bugzilla->params->{password_complexity};
     if ($complexity_level eq 'letters_numbers_specialchars') {
-        ThrowUserError('password_not_complex')
+        return 'password_not_complex'
           if ($password !~ /[[:alpha:]]/ || $password !~ /\d/ || $password !~ /[[:punct:]]/);
     } elsif ($complexity_level eq 'letters_numbers') {
-        ThrowUserError('password_not_complex')
+        return 'password_not_complex'
           if ($password !~ /[[:lower:]]/ || $password !~ /[[:upper:]]/ || $password !~ /\d/);
     } elsif ($complexity_level eq 'mixed_letters') {
-        ThrowUserError('password_not_complex')
+        return 'password_not_complex'
           if ($password !~ /[[:lower:]]/ || $password !~ /[[:upper:]]/);
     }
 
     # Having done these checks makes us consider the password untainted.
     trick_taint($_[0]);
-    return 1;
+    return;
 }
 
 
@@ -3142,12 +3148,23 @@ if you need more information about the user than just their ID.
 =item C<validate_password($passwd1, $passwd2)>
 
 Returns true if a password is valid (i.e. meets Bugzilla's
-requirements for length and content), else returns false.
+requirements for length and content), else throws an error.
 Untaints C<$passwd1> if successful.
 
 If a second password is passed in, this function also verifies that
 the two passwords match.
 
+=item C<validate_password_check($passwd1, $passwd2)>
+
+This sub routine is similair to C<validate_password>, except that it allows
+the calling code to handle its own errors.
+
+Returns undef and untaints C<$passwd1> if a password is valid (i.e. meets
+Bugzilla's requirements for length and content), else returns the error.
+
+If a second password is passed in, this function also verifies that
+the two passwords match.
+
 =item C<match_field($data, $fields, $behavior)>
 
 =over
-- 
cgit v1.2.3-24-g4f1b