From d825a0d15037b32b2c7bb7d195ef905691a2edcd Mon Sep 17 00:00:00 2001
From: "bbaetz%acm.org" <>
Date: Wed, 10 Jun 2009 06:18:16 +0000
Subject: Bug 496856 - Fix token.cgi transaction handling

---
 token.cgi | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

(limited to 'token.cgi')

diff --git a/token.cgi b/token.cgi
index 535380042..cd4c508aa 100755
--- a/token.cgi
+++ b/token.cgi
@@ -274,12 +274,13 @@ sub changeEmail {
     $dbh->do('DELETE FROM tokens WHERE token = ?', undef, $token);
     $dbh->do(q{DELETE FROM tokens WHERE userid = ?
                AND tokentype = 'emailnew'}, undef, $userid);
-    $dbh->bz_commit_transaction();
 
     # The email address has been changed, so we need to rederive the groups
     my $user = new Bugzilla::User($userid);
     $user->derive_regexp_groups;
 
+    $dbh->bz_commit_transaction();
+
     # Return HTTP response headers.
     print $cgi->header();
 
@@ -295,6 +296,8 @@ sub cancelChangeEmail {
     my $token = shift;
     my $dbh = Bugzilla->dbh;
 
+    $dbh->bz_begin_transaction();
+
     # Get the user's ID from the tokens table.
     my ($userid, $tokentype, $eventdata) = $dbh->selectrow_array(
                               q{SELECT userid, tokentype, eventdata FROM tokens
@@ -310,16 +313,15 @@ sub cancelChangeEmail {
         
         # check to see if it has been altered
         if($actualemail ne $old_email) {
+            # XXX - This is NOT safe - if A has change to B, another profile
+            # could have grabbed A's username in the meantime.
+            # The DB constraint will catch this, though
             $dbh->do(q{UPDATE   profiles
                        SET      login_name = ?
                        WHERE    userid = ?},
                      undef, ($old_email, $userid));
 
             # email has changed, so rederive groups
-            # Note that this is done _after_ the tables are unlocked
-            # This is sort of a race condition (given the lack of transactions)
-            # but the user had access to it just now, so it's not a security
-            # issue
 
             my $user = new Bugzilla::User($userid);
             $user->derive_regexp_groups;
@@ -339,6 +341,8 @@ sub cancelChangeEmail {
                AND tokentype = 'emailold' OR tokentype = 'emailnew'},
              undef, $userid);
 
+    $dbh->bz_commit_transaction();
+
     # Return HTTP response headers.
     print $cgi->header();
 
-- 
cgit v1.2.3-24-g4f1b