Bug 349337: The time between two successive token requests should be a constant

r/a=LpSolit

Bug 349337: The time between two successive token requests should be a constant
56414122 · Koosha Khajeh Moogahi · Frédéric Buclin · 03543739 · 56414122 · 56414122
Commit 56414122 authored Apr 13, 2012 by Koosha Khajeh Moogahi Committed by Frédéric Buclin Apr 13, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 4 deletions

Constants.pm Bugzilla/Constants.pm +5 -0

Token.pm Bugzilla/Token.pm +3 -3

user-error.html.tmpl template/en/default/global/user-error.html.tmpl +2 -1

No files found.
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -140,6 +140,7 @@ use Memoize;
    MAX_SUDO_TOKEN_AGE
    MAX_LOGIN_ATTEMPTS
    LOGIN_LOCKOUT_INTERVAL
+    ACCOUNT_CHANGE_INTERVAL
    MAX_STS_AGE
    SAFE_PROTOCOLS
@@ -409,6 +410,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5;
 # account is locked.
 use constant LOGIN_LOCKOUT_INTERVAL => 30;
+# The time in minutes a user must wait before he can request another email to
+# create a new account or change his password.
+use constant ACCOUNT_CHANGE_INTERVAL => 10;
 # The maximum number of seconds the Strict-Transport-Security header
 # will remain valid. Default is one week.
 use constant MAX_STS_AGE => 604800;

--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -46,7 +46,7 @@ sub issue_new_user_account_token {
    # Is there already a pending request for this login name? If yes, do not throw
    # an error because the user may have lost his email with the token inside.
    # But to prevent using this way to mailbomb an email address, make sure
-    # the last request is at least 10 minutes old before sending a new email.
+    # the last request is old enough before sending a new email (default: 10 minutes).
    my $pending_requests = $dbh->selectrow_array(
        'SELECT COUNT(*)
@@ -54,7 +54,7 @@ sub issue_new_user_account_token {
          WHERE tokentype = ?
                AND ' . $dbh->sql_istrcmp('eventdata', '?') . '
                AND issuedate > '
-                    . $dbh->sql_date_math('NOW()', '-', 10, 'MINUTE'),
+                    . $dbh->sql_date_math('NOW()', '-', ACCOUNT_CHANGE_INTERVAL, 'MINUTE'),
        undef, ('account', $login_name));
    ThrowUserError('too_soon_for_new_token', {'type' => 'account'}) if $pending_requests;
@@ -122,7 +122,7 @@ sub IssuePasswordToken {
        'SELECT 1 FROM tokens
          WHERE userid = ? AND tokentype = ?
                AND issuedate > ' 
-                    . $dbh->sql_date_math('NOW()', '-', 10, 'MINUTE'),
+                    . $dbh->sql_date_math('NOW()', '-', ACCOUNT_CHANGE_INTERVAL, 'MINUTE'),
        undef, ($user->id, 'password'));
    ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon;

--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1618,7 +1618,8 @@
    [% ELSIF type == "account" %]
      an account
    [% END %]
-    token too recently to request another. Please wait a while and try again.
+    token too recently to request another. 
+    Please wait [% constants.ACCOUNT_CHANGE_INTERVAL %] minutes then try again.
  [% ELSIF error == "unknown_action" %]
    [% IF action %]