summaryrefslogtreecommitdiffstats
path: root/reset_password.cgi
blob: ab2226f1e219ea246c317de825ed83b2161b785f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/usr/bin/perl -T

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.

use 5.10.1;
use strict;
use warnings;

use lib qw(. lib local/lib/perl5);

use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::Token;
use Bugzilla::Util qw( bz_crypt trim );
use Data::Dumper;

my $cgi          = Bugzilla->cgi;
my $user         = Bugzilla->login(LOGIN_REQUIRED);
my $template     = Bugzilla->template;
my $dbh          = Bugzilla->dbh;
my $prev_url     = $cgi->param('prev_url');
my $prev_url_sig = $cgi->param('prev_url_sig');
my $sig_type     = 'prev_url:' . $user->id;
my $prev_url_ok  = check_hash_sig($sig_type, $prev_url_sig, $prev_url);

unless ($prev_url_ok) {
  open my $fh, '>', '/tmp/dump.pl' or die $!;
  print $fh Dumper([$prev_url, $prev_url_sig]);
  close $fh or die $!;
}

unless ($user->password_change_required) {
  ThrowUserError('reset_password_denied',
    {prev_url_ok => $prev_url_ok, prev_url => $prev_url,});

}

if ($cgi->param('do_save')) {
  my $token = $cgi->param('token');
  check_token_data($token, 'reset_password');

  my $old_password = $cgi->param('old_password') // '';
  my $password_1   = $cgi->param('new_password1') // '';
  my $password_2   = $cgi->param('new_password2') // '';

  # make sure passwords never show up in the UI
  foreach my $field (qw( old_password new_password1 new_password2 )) {
    $cgi->delete($field);
  }

  # validation
  my $old_crypt_password = $user->cryptpassword;
  if (bz_crypt($old_password, $old_crypt_password) ne $old_crypt_password) {
    ThrowUserError('old_password_incorrect');
  }
  if ($password_1 eq '' || $password_2 eq '') {
    ThrowUserError('new_password_missing');
  }
  if ($old_password eq $password_1) {
    ThrowUserError('new_password_same');
  }

  Bugzilla->assert_password_is_secure($password_1);
  Bugzilla->assert_passwords_match($password_1, $password_2);

  # update
  $dbh->bz_start_transaction;
  $user->set_password($password_1);
  $user->update({keep_session => 1, keep_tokens => 1});
  Bugzilla->logout(LOGOUT_KEEP_CURRENT);
  delete_token($token);
  $dbh->bz_commit_transaction;

  # done
  print $cgi->header();
  $template->process(
    'account/reset-password.html.tmpl',
    {
      message          => 'password_changed',
      prev_url         => $prev_url,
      prev_url_ok      => $prev_url_ok,
      password_changed => 1
    }
  ) || ThrowTemplateError($template->error());

}

else {
  my $token = issue_session_token('reset_password');

  print $cgi->header();
  $template->process(
    'account/reset-password.html.tmpl',
    {
      token        => $token,
      prev_url     => $prev_url,
      prev_url_ok  => $prev_url_ok,
      prev_url_sig => $prev_url_sig,
      sig_type     => $sig_type,
    }
  ) || ThrowTemplateError($template->error());


}