|
|
|---|
|
|
|---|
| 67 |
$::token = $cgi->param('t'); |
67 |
$::token = $cgi->param('t'); |
| 68 |
|
68 |
|
| 69 |
# Make sure the token contains only valid characters in the right amount. |
69 |
# Make sure the token contains only valid characters in the right amount. |
| 70 |
# Validate password will throw an error if token is invalid |
70 |
# ValidatePassword will throw an error if token is invalid |
| 71 |
ValidatePassword($::token); |
71 |
ValidatePassword($::token); |
| 72 |
trick_taint($::token); # Only used in placeholders |
|
|
| 73 |
|
72 |
|
| 74 |
Bugzilla::Token::CleanTokenTable(); |
73 |
Bugzilla::Token::CleanTokenTable(); |
| 75 |
|
74 |
|
|
|
|---|
| 99 |
# If the user is requesting a password change, make sure they submitted |
98 |
# If the user is requesting a password change, make sure they submitted |
| 100 |
# their login name and it exists in the database, and that the DB module is in |
99 |
# their login name and it exists in the database, and that the DB module is in |
| 101 |
# the list of allowed verification methods. |
100 |
# the list of allowed verification methods. |
|
|
101 |
my $login_name; |
| 102 |
if ( $::action eq 'reqpw' ) { |
102 |
if ( $::action eq 'reqpw' ) { |
| 103 |
defined $cgi->param('loginname') |
103 |
$login_name = $cgi->param('loginname'); |
|
|
104 |
defined $login_name |
| 104 |
|| ThrowUserError("login_needed_for_password_change"); |
105 |
|| ThrowUserError("login_needed_for_password_change"); |
| 105 |
|
106 |
|
| 106 |
# check verification methods |
107 |
# check verification methods |
|
|
|---|
| 108 |
ThrowUserError("password_change_requests_not_allowed"); |
109 |
ThrowUserError("password_change_requests_not_allowed"); |
| 109 |
} |
110 |
} |
| 110 |
|
111 |
|
| 111 |
# Make sure the login name looks like an email address. |
112 |
validate_email_syntax($login_name) |
| 112 |
validate_email_syntax($cgi->param('loginname')) |
113 |
|| ThrowUserError('illegal_email_address', {addr => $login_name}); |
| 113 |
|| ThrowUserError('illegal_email_address', |
|
|
| 114 |
{addr => $cgi->param('loginname')}); |
| 115 |
|
114 |
|
| 116 |
my $loginname = $cgi->param('loginname'); |
|
|
| 117 |
trick_taint($loginname); # Used only in a placeholder |
| 118 |
my ($user_id) = $dbh->selectrow_array('SELECT userid FROM profiles WHERE ' . |
115 |
my ($user_id) = $dbh->selectrow_array('SELECT userid FROM profiles WHERE ' . |
| 119 |
$dbh->sql_istrcmp('login_name', '?'), |
116 |
$dbh->sql_istrcmp('login_name', '?'), |
| 120 |
undef, $loginname); |
117 |
undef, $login_name); |
| 121 |
$user_id || ThrowUserError("account_inexistent"); |
118 |
$user_id || ThrowUserError("account_inexistent"); |
| 122 |
} |
119 |
} |
| 123 |
|
120 |
|
| 124 |
# If the user is changing their password, make sure they submitted a new |
121 |
# If the user is changing their password, make sure they submitted a new |
| 125 |
# password and that the new password is valid. |
122 |
# password and that the new password is valid. |
|
|
123 |
my $password; |
| 126 |
if ( $::action eq 'chgpw' ) { |
124 |
if ( $::action eq 'chgpw' ) { |
| 127 |
defined $cgi->param('password') |
125 |
$password = $cgi->param('password'); |
|
|
126 |
defined $password |
| 128 |
&& defined $cgi->param('matchpassword') |
127 |
&& defined $cgi->param('matchpassword') |
| 129 |
|| ThrowUserError("require_new_password"); |
128 |
|| ThrowUserError("require_new_password"); |
| 130 |
|
129 |
|
| 131 |
ValidatePassword($cgi->param('password'), $cgi->param('matchpassword')); |
130 |
ValidatePassword($password, $cgi->param('matchpassword')); |
| 132 |
} |
131 |
} |
| 133 |
|
132 |
|
| 134 |
################################################################################ |
133 |
################################################################################ |
|
|
|---|
| 140 |
# that variable and runs the appropriate code. |
139 |
# that variable and runs the appropriate code. |
| 141 |
|
140 |
|
| 142 |
if ($::action eq 'reqpw') { |
141 |
if ($::action eq 'reqpw') { |
| 143 |
requestChangePassword(); |
142 |
requestChangePassword($login_name); |
| 144 |
} elsif ($::action eq 'cfmpw') { |
143 |
} elsif ($::action eq 'cfmpw') { |
| 145 |
confirmChangePassword(); |
144 |
confirmChangePassword(); |
| 146 |
} elsif ($::action eq 'cxlpw') { |
145 |
} elsif ($::action eq 'cxlpw') { |
| 147 |
cancelChangePassword(); |
146 |
cancelChangePassword(); |
| 148 |
} elsif ($::action eq 'chgpw') { |
147 |
} elsif ($::action eq 'chgpw') { |
| 149 |
changePassword(); |
148 |
changePassword($password); |
| 150 |
} elsif ($::action eq 'cfmem') { |
149 |
} elsif ($::action eq 'cfmem') { |
| 151 |
confirmChangeEmail(); |
150 |
confirmChangeEmail(); |
| 152 |
} elsif ($::action eq 'cxlem') { |
151 |
} elsif ($::action eq 'cxlem') { |
|
|
|---|
| 167 |
################################################################################ |
166 |
################################################################################ |
| 168 |
|
167 |
|
| 169 |
sub requestChangePassword { |
168 |
sub requestChangePassword { |
| 170 |
Bugzilla::Token::IssuePasswordToken($cgi->param('loginname')); |
169 |
my ($login_name) = @_; |
|
|
170 |
Bugzilla::Token::IssuePasswordToken($login_name); |
| 171 |
|
171 |
|
| 172 |
$vars->{'message'} = "password_change_request"; |
172 |
$vars->{'message'} = "password_change_request"; |
| 173 |
|
173 |
|
|
|
|---|
| 194 |
} |
194 |
} |
| 195 |
|
195 |
|
| 196 |
sub changePassword { |
196 |
sub changePassword { |
|
|
197 |
my ($password) = @_; |
| 197 |
my $dbh = Bugzilla->dbh; |
198 |
my $dbh = Bugzilla->dbh; |
| 198 |
|
199 |
|
| 199 |
# Create a crypted version of the new password |
200 |
# Create a crypted version of the new password |
| 200 |
my $cryptedpassword = bz_crypt($cgi->param('password')); |
201 |
my $cryptedpassword = bz_crypt($password); |
| 201 |
trick_taint($cryptedpassword); # Used only in a placeholder |
|
|
| 202 |
|
202 |
|
| 203 |
# Get the user's ID from the tokens table. |
203 |
# Get the user's ID from the tokens table. |
| 204 |
my ($userid) = $dbh->selectrow_array('SELECT userid FROM tokens |
204 |
my ($userid) = $dbh->selectrow_array('SELECT userid FROM tokens |