From 59285f71c6ed0d4db7d4b0455902130a2d7c83bd Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Sun, 20 Aug 2006 01:11:59 +0000 Subject: Bug 87795: Creating an account should send token and wait for confirmation (prevent user account abuse) - Patch by Frédéric Buclin r=mkanat r=bkor a=myk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- template/en/default/account/cancel-token.txt.tmpl | 11 +++- template/en/default/account/create.html.tmpl | 34 ++++-------- template/en/default/account/created.html.tmpl | 22 ++++---- .../en/default/account/email/confirm-new.html.tmpl | 64 ++++++++++++++++++++++ .../en/default/account/email/request-new.txt.tmpl | 44 +++++++++++++++ template/en/default/email/password.txt.tmpl | 35 ------------ template/en/default/global/messages.html.tmpl | 9 +++ template/en/default/global/user-error.html.tmpl | 13 ++++- 8 files changed, 161 insertions(+), 71 deletions(-) create mode 100644 template/en/default/account/email/confirm-new.html.tmpl create mode 100644 template/en/default/account/email/request-new.txt.tmpl delete mode 100644 template/en/default/email/password.txt.tmpl (limited to 'template/en') diff --git a/template/en/default/account/cancel-token.txt.tmpl b/template/en/default/account/cancel-token.txt.tmpl index 5124759ed..f9d310534 100644 --- a/template/en/default/account/cancel-token.txt.tmpl +++ b/template/en/default/account/cancel-token.txt.tmpl @@ -42,7 +42,9 @@ to [% maintainer %] if you suspect foul play. Cancelled Because: [% PROCESS cancelactionmessage %] [% BLOCK subject %] - [% IF tokentype == 'password' %] + [% IF tokentype == 'new_account' %] + User account creation request cancelled + [% ELSIF tokentype == 'password' %] Password change request cancelled [% ELSIF tokentype == 'emailnew' OR tokentype == 'emailold' %] Email change request cancelled @@ -72,6 +74,10 @@ Cancelled Because: [% PROCESS cancelactionmessage %] [% ELSIF cancelaction == 'password_change_cancelled' %] You have requested cancellation. + [% ELSIF cancelaction == 'account_creation_cancelled' %] + The creation of the user account [% emailaddress %] + has been cancelled. + [% ELSIF cancelaction == 'user_logged_in' %] You have logged in. @@ -84,6 +90,9 @@ Cancelled Because: [% PROCESS cancelactionmessage %] [% ELSIF cancelaction == 'wrong_token_for_confirming_email_change' %] You have tried to use the token to confirm the email address change. + [% ELSIF cancelaction == 'wrong_token_for_creating_account' %] + You have tried to use the token to create a user account. + [% ELSE %] [%# Give sensible error if the cancel-token function is used incorrectly. #%] diff --git a/template/en/default/account/create.html.tmpl b/template/en/default/account/create.html.tmpl index 052a2b7fe..2e8739b79 100644 --- a/template/en/default/account/create.html.tmpl +++ b/template/en/default/account/create.html.tmpl @@ -29,47 +29,37 @@ [% PROCESS global/variables.none.tmpl %] [% title = BLOCK %] -Create a new [% terms.Bugzilla %] account + Create a new [% terms.Bugzilla %] account [% END %] -[% PROCESS global/header.html.tmpl %] + +[% PROCESS global/header.html.tmpl + title = title + onload = "document.forms['account_creation_form'].login.focus();" %]

- To create a [% terms.Bugzilla %] account, all you need to do is - enter a legitimate e-mail address. The account will be created, and - its password will be mailed to you. You will not be able to log - in until you receive the password. If it doesn't arrive within a + To create a [% terms.Bugzilla %] account, all you need to do is to enter + a legitimate e-mail address. You will receive an email at this address + to confirm the creation of your account. You will not be able to log + in until you receive the email. If it doesn't arrive within a reasonable amount of time, you can contact the maintainer of this [% terms.Bugzilla %] installation at [% Param("maintainer") %].

-

- Optionally you may enter your real name as well. -

- -
+ - - - - -
E-mail address: - + [% Param('emailsuffix') FILTER html %]
- Real name: - - -

- +
[% PROCESS global/footer.html.tmpl %] diff --git a/template/en/default/account/created.html.tmpl b/template/en/default/account/created.html.tmpl index 2d507b4cf..58064f24c 100644 --- a/template/en/default/account/created.html.tmpl +++ b/template/en/default/account/created.html.tmpl @@ -17,26 +17,26 @@ # Rights Reserved. # # Contributor(s): Gervase Markham + # Frédéric Buclin #%] [%# INTERFACE: # login: string. The user's Bugzilla login email address. #%] -[% PROCESS global/header.html.tmpl - title = "Account Created" -%] +[% PROCESS global/variables.none.tmpl %] -

- A new account, - [% login FILTER html %], - has been created and a randomly-generated password has been e-mailed - to that address. -

+[% title = BLOCK %] + Request for new user account '[% login FILTER html %]' submitted +[% END %] + +[% PROCESS global/header.html.tmpl title = title %]

- When the e-mail arrives, - log in here. + To confirm the creation of the user account [% login FILTER html %], + use the URL given in the email you will receive. If you take no action in the + next [% constants.MAX_TOKEN_AGE FILTER html %] days, this request will + automatically be canceled.

[% PROCESS global/footer.html.tmpl %] diff --git a/template/en/default/account/email/confirm-new.html.tmpl b/template/en/default/account/email/confirm-new.html.tmpl new file mode 100644 index 000000000..0e9ab98e5 --- /dev/null +++ b/template/en/default/account/email/confirm-new.html.tmpl @@ -0,0 +1,64 @@ +[%# 1.0@bugzilla.org %] +[%# The contents of this file are subject to the Mozilla Public + # License Version 1.1 (the "License"); you may not use this file + # except in compliance with the License. You may obtain a copy of + # the License at http://www.mozilla.org/MPL/ + # + # Software distributed under the License is distributed on an "AS + # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + # implied. See the License for the specific language governing + # rights and limitations under the License. + # + # The Original Code is the Bugzilla Bug Tracking System. + # + # Contributor(s): Frédéric Buclin + #%] + +[%# INTERFACE: + # token: string. The token to be used in the user account creation. + # email: email address of the user account. + # date: creation date of the token. + #%] + +[% title = BLOCK %]Create a new user account for '[% email FILTER html %]'[% END %] +[% PROCESS "global/header.html.tmpl" + title = title + onload = "document.forms['confirm_account_form'].realname.focus();" %] + +[% expiration_ts = date + (constants.MAX_TOKEN_AGE * 86400) %] +
+ To complete the creation of your user account, you must choose a password in the + form below. You can also enter your real name, which is optional.

+ If you don't fill this form before + [%+ time2str("%H:%M on the %o of %B, %Y", expiration_ts) %], the creation + of this account will be automatically cancelled. +

+ +
+ + + + + + + + + + + + + + + + + + + + + + + +
Email Address:[% email FILTER html %]
:
:
:
 
+
+ +[% PROCESS global/footer.html.tmpl %] diff --git a/template/en/default/account/email/request-new.txt.tmpl b/template/en/default/account/email/request-new.txt.tmpl new file mode 100644 index 000000000..85fdec157 --- /dev/null +++ b/template/en/default/account/email/request-new.txt.tmpl @@ -0,0 +1,44 @@ +[%# 1.0@bugzilla.org %] +[%# The contents of this file are subject to the Mozilla Public + # License Version 1.1 (the "License"); you may not use this file + # except in compliance with the License. You may obtain a copy of + # the License at http://www.mozilla.org/MPL/ + # + # Software distributed under the License is distributed on an "AS + # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + # implied. See the License for the specific language governing + # rights and limitations under the License. + # + # The Original Code is the Bugzilla Bug Tracking System. + # + # Contributor(s): Frédéric Buclin + #%] + +[%# INTERFACE: + # token: random string used to authenticate the transaction. + # token_ts: creation date of the token. + # email: email address of the new account. + #%] + +[% PROCESS global/variables.none.tmpl %] + +[% expiration_ts = token_ts + (constants.MAX_TOKEN_AGE * 86400) %] +From: bugzilla-admin-daemon +To: [% email %] +Subject: [% terms.Bugzilla %]: confirm account creation + +[%+ terms.Bugzilla %] has received a request to create a user account +using your email address ([% email %]). + +To confirm that you want to create an account using that email address, +visit the following link: + +[%+ Param('urlbase') %]token.cgi?t=[% token FILTER url_quote %]&a=request_new_account + +If you are not the person who made this request, or you wish to cancel +this request, visit the following link: + +[%+ Param('urlbase') %]token.cgi?t=[% token FILTER url_quote %]&a=cancel_new_account + +If you do nothing, the request will lapse after [%+ constants.MAX_TOKEN_AGE %] days +(at precisely [%+ time2str("%H:%M on the %o of %B, %Y", expiration_ts) %]). diff --git a/template/en/default/email/password.txt.tmpl b/template/en/default/email/password.txt.tmpl deleted file mode 100644 index 5993a90f5..000000000 --- a/template/en/default/email/password.txt.tmpl +++ /dev/null @@ -1,35 +0,0 @@ -[%# 1.0@bugzilla.org %] -[%# The contents of this file are subject to the Mozilla Public - # License Version 1.1 (the "License"); you may not use this file - # except in compliance with the License. You may obtain a copy of - # the License at http://www.mozilla.org/MPL/ - # - # Software distributed under the License is distributed on an "AS - # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - # implied. See the License for the specific language governing - # rights and limitations under the License. - # - # The Original Code is the Bugzilla Bug Tracking System. - # - # The Initial Developer of the Original Code is Netscape Communications - # Corporation. Portions created by Netscape are - # Copyright (C) 1998 Netscape Communications Corporation. All - # Rights Reserved. - # - # Contributor(s): Emmanuel Seyman - #%] - -[% PROCESS global/variables.none.tmpl %] - -From: bugzilla-daemon -To: [% mailaddress %] -Subject: Your [% terms.Bugzilla %] password. - -To use the wonders of [% terms.Bugzilla %], you can use the following: - - E-mail address: [% login %] - Password: [% password %] - - To change your password, go to: - [%+ Param("urlbase") %]userprefs.cgi - diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl index 08321ed2c..2e1878b5f 100644 --- a/template/en/default/global/messages.html.tmpl +++ b/template/en/default/global/messages.html.tmpl @@ -38,6 +38,15 @@ [% IF groups.size %] You may want to edit the group settings now, using the form below. [% END %] + [% IF login_info %] + You can now go to the Log In page to enter + this [% terms.Bugzilla %] installation. + [% END %] + + [% ELSIF message_tag == "account_creation_cancelled" %] + [% title = "User Account Creation Cancelled" %] + The creation of the user account [% account FILTER html %] has been + cancelled. [% ELSIF message_tag == "account_updated" %] [% IF changed_fields.size diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 53fb3ae27..e67c1a81c 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1318,8 +1318,13 @@ [% ELSIF error == "too_soon_for_new_token" %] [% title = "Too Soon For New Token" %] - You have requested a password token too recently to request - another. Please wait a while and try again. + You have requested + [% IF type == "password" %] + a password + [% ELSIF type == "account" %] + an account + [% END %] + token too recently to request another. Please wait a while and try again. [% ELSIF error == "unknown_keyword" %] [% title = "Unknown Keyword" %] @@ -1398,6 +1403,10 @@ [% title = "Wrong Token" %] That token cannot be used to change your email address. + [% ELSIF error == "wrong_token_for_creating_account" %] + [% title = "Wrong Token" %] + That token cannot be used to create a user account. + [% ELSIF error == "zero_length_file" %] [% title = "File Is Empty" %] The file you are trying to attach is empty! -- cgit v1.2.3-24-g4f1b