#!/usr/bin/perl -T # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. # # This Source Code Form is "Incompatible With Secondary Licenses", as # defined by the Mozilla Public License, v. 2.0. use 5.14.0; use strict; use warnings; use lib qw(. lib local/lib/perl5); use Bugzilla; use Bugzilla::Constants; use Bugzilla::Util; use Bugzilla::Error; use Bugzilla::Token; use Bugzilla::User; use Date::Format; use Date::Parse; local our $cgi = Bugzilla->cgi; local our $template = Bugzilla->template; local our $vars = {}; my $action = $cgi->param('a'); my $token = $cgi->param('t'); Bugzilla->login(LOGIN_OPTIONAL); # Throw an error if the form does not contain an "action" field specifying # what the user wants to do. $action || ThrowUserError('unknown_action'); Bugzilla::Token::CleanTokenTable(); my ($user_id, $date, $data, $tokentype) = Bugzilla::Token::GetTokenData($token); # Requesting a new password is the single action which doesn't require a token. # XXX Ideally, these checks should be done inside the subroutines themselves. unless ($action eq 'reqpw') { $tokentype || ThrowUserError("token_does_not_exist"); # Make sure the token is the correct type for the action being taken. # The { user_error => 'wrong_token_for_*' } trick is to make 012throwables.t happy. my $error = {}; if (grep($action eq $_ , qw(cfmpw cxlpw chgpw)) && $tokentype ne 'password') { $error = { user_error => 'wrong_token_for_changing_passwd' }; } elsif ($action eq 'cxlem' && ($tokentype ne 'emailold' && $tokentype ne 'emailnew')) { $error = { user_error => 'wrong_token_for_cancelling_email_change' }; } elsif (grep($action eq $_ , qw(cfmem chgem)) && $tokentype ne 'emailnew') { $error = { user_error => 'wrong_token_for_confirming_email_change' }; } elsif ($action =~ /^(request|confirm|cancel)_new_account$/ && $tokentype ne 'account') { $error = { user_error => 'wrong_token_for_creating_account' }; } if (my $user_error = $error->{user_error}) { Bugzilla::Token::Cancel($token, $user_error); ThrowUserError($user_error); } } if ($action eq 'reqpw') { requestChangePassword(); } elsif ($action eq 'cfmpw') { confirmChangePassword($token); } elsif ($action eq 'cxlpw') { cancelChangePassword($token); } elsif ($action eq 'chgpw') { changePassword($user_id, $token); } elsif ($action eq 'cfmem') { confirmChangeEmail($token); } elsif ($action eq 'cxlem') { cancelChangeEmail($user_id, $data, $tokentype, $token); } elsif ($action eq 'chgem') { changeEmail($user_id, $data, $token); } elsif ($action eq 'request_new_account') { request_create_account($date, $data, $token); } elsif ($action eq 'confirm_new_account') { confirm_create_account($data, $token); } elsif ($action eq 'cancel_new_account') { cancel_create_account($data, $token); } else { ThrowUserError('unknown_action', {action => $action}); } exit; ################################################################################ # Functions ################################################################################ # If the user is requesting a password change, make sure they submitted # their login name and it exists in the database, and that the DB module is in # the list of allowed verification methods. sub requestChangePassword { # check verification methods Bugzilla->user->authorizer->can_change_password || ThrowUserError("password_change_requests_not_allowed"); # Check the hash token to make sure this user actually submitted # the forgotten password form. my $token = $cgi->param('token'); check_hash_token($token, ['reqpw']); my $email = $cgi->param('email') or ThrowUserError("email_needed_for_password_change"); my $userid = email_to_id($email, 'throw_error_if_not_exist'); my $user = new Bugzilla::User($userid); # Make sure the user account is active. if (!$user->is_enabled) { ThrowUserError('account_disabled', {disabled_reason => get_text('account_disabled', {email => $email})}); } Bugzilla::Token::IssuePasswordToken($user); $vars->{'message'} = "password_change_request"; $vars->{'email'} = $email; print $cgi->header(); $template->process("global/message.html.tmpl", $vars) || ThrowTemplateError($template->error()); } sub confirmChangePassword { my $token = shift; $vars->{'token'} = $token; print $cgi->header(); $template->process("account/password/set-forgotten-password.html.tmpl", $vars) || ThrowTemplateError($template->error()); } sub cancelChangePassword { my $token = shift; $vars->{'message'} = "password_change_canceled"; Bugzilla::Token::Cancel($token, $vars->{'message'}); print $cgi->header(); $template->process("global/message.html.tmpl", $vars) || ThrowTemplateError($template->error()); } # If the user is changing their password, make sure they submitted a new # password and that the new password is valid. sub changePassword { my ($user_id, $token) = @_; my $dbh = Bugzilla->dbh; my $password = $cgi->param('password'); (defined $password && defined $cgi->param('matchpassword')) || ThrowUserError("require_new_password"); validate_password($password, $cgi->param('matchpassword')); # Make sure that these never show up in the UI under any circumstances. $cgi->delete('password', 'matchpassword'); my $user = Bugzilla::User->check({ id => $user_id }); $user->set_password($password); $user->update(); delete_token($token); $dbh->do(q{DELETE FROM tokens WHERE userid = ? AND tokentype = 'password'}, undef, $user_id); Bugzilla->logout_user_by_id($user_id); $vars->{'message'} = "password_changed"; print $cgi->header(); $template->process("global/message.html.tmpl", $vars) || ThrowTemplateError($template->error()); } sub confirmChangeEmail { my $token = shift; $vars->{'token'} = $token; print $cgi->header(); $template->process("account/email/confirm.html.tmpl", $vars) || ThrowTemplateError($template->error()); } sub changeEmail { my ($userid, $eventdata, $token) = @_; my $dbh = Bugzilla->dbh; my ($old_email, $new_email) = split(/:/,$eventdata); $dbh->bz_start_transaction(); my $user = Bugzilla::User->check({ id => $userid }); my $cgipassword = $cgi->param('password'); # Make sure the user who wants to change the email address # is the real account owner. $user->check_current_password($cgipassword); # The new email address should be available as this was # confirmed initially so cancel token if it is not still available if (!is_available_email($new_email, $old_email)) { $vars->{'email'} = $new_email; # Needed for Bugzilla::Token::Cancel's mail Bugzilla::Token::Cancel($token, "account_exists", $vars); ThrowUserError("account_exists", { email => $new_email } ); } # Update the user's email address in the profiles table. $user->set_email($new_email); $user->update({ keep_session => 1, keep_tokens => 1 }); delete_token($token); $dbh->do(q{DELETE FROM tokens WHERE userid = ? AND tokentype = 'emailnew'}, undef, $userid); $dbh->bz_commit_transaction(); # Return HTTP response headers. print $cgi->header(); # Let the user know their email address has been changed. $vars->{'message'} = "login_changed"; $template->process("global/message.html.tmpl", $vars) || ThrowTemplateError($template->error()); } sub cancelChangeEmail { my ($userid, $eventdata, $tokentype, $token) = @_; my $dbh = Bugzilla->dbh; $dbh->bz_start_transaction(); my ($old_email, $new_email) = split(/:/,$eventdata); if ($tokentype eq "emailold") { $vars->{'message'} = "emailold_change_canceled"; my $user = Bugzilla::User->check({ id => $userid }); # check to see if it has been altered if ($user->email ne $old_email) { $user->set_email($old_email); $user->update({ keep_tokens => 1 }); $vars->{'message'} = "email_change_canceled_reinstated"; } } else { $vars->{'message'} = 'email_change_canceled' } $vars->{'old_email'} = $old_email; $vars->{'new_email'} = $new_email; Bugzilla::Token::Cancel($token, $vars->{'message'}, $vars); $dbh->do(q{DELETE FROM tokens WHERE userid = ? AND tokentype = 'emailold' OR tokentype = 'emailnew'}, undef, $userid); $dbh->bz_commit_transaction(); # Return HTTP response headers. print $cgi->header(); $template->process("global/message.html.tmpl", $vars) || ThrowTemplateError($template->error()); } sub request_create_account { my ($date, $data, $token) = @_; Bugzilla->user->check_account_creation_enabled; # Be careful! Some logins may contain ":" in them. my ($email, $login) = split(':', $data, 2); $vars = { token => $token, login => $login, email => $email, # Make sure nobody else chose this login meanwhile. login_already_in_use => login_to_id($login) ? 1 : 0, expiration_ts => ctime(str2time($date) + MAX_TOKEN_AGE * 86400) }; print $cgi->header(); $template->process('account/email/confirm-new.html.tmpl', $vars) || ThrowTemplateError($template->error()); } sub confirm_create_account { my ($data, $token) = @_; Bugzilla->user->check_account_creation_enabled; my $password = $cgi->param('passwd1') || ''; validate_password($password, $cgi->param('passwd2') || ''); # Make sure that these never show up anywhere in the UI. $cgi->delete('passwd1', 'passwd2'); # Be careful! Some logins may contain ":" in them. my ($email, $login) = split(':', $data, 2); $login = $cgi->param('login') if login_to_id($login); my $otheruser = Bugzilla::User->create({ login_name => $login, email => $email, realname => scalar $cgi->param('realname'), cryptpassword => $password}); # Now delete this token. delete_token($token); # Let the user know that their user account has been successfully created. $vars->{'message'} = 'account_created'; $vars->{'otheruser'} = $otheruser; # Log in the new user using credentials they just gave. $cgi->param('Bugzilla_login', $otheruser->login); $cgi->param('Bugzilla_password', $password); Bugzilla->login(LOGIN_OPTIONAL); print $cgi->header(); $template->process('index.html.tmpl', $vars) || ThrowTemplateError($template->error()); } sub cancel_create_account { my ($data, $token) = @_; $vars->{'message'} = 'account_creation_canceled'; # Be careful! Some logins may contain ":" in them. ($vars->{'email'}, $vars->{'login'}) = split(':', $data, 2); Bugzilla::Token::Cancel($token, $vars->{'message'}); print $cgi->header(); $template->process('global/message.html.tmpl', $vars) || ThrowTemplateError($template->error()); }