Skip to content

bugzilla
bugzilla
Commit af7e8c59 authored by gerv%gerv.net's avatar gerv%gerv.net
Browse files
Options

Bug 135836 - change requests should include expiration details. Patch by…

Bug 135836 - change requests should include expiration details. Patch by zeroJ@null.net; r=gerv, justdave.
parent 97539305
Hide whitespace changes
Inline Side-by-side
Showing with 61 additions and 8 deletions
Bugzilla/Token.pm
View file @ af7e8c59
...@@ -30,16 +30,28 @@ use strict; ...@@ -30,16 +30,28 @@ use strict;
# Bundle the functions in this file together into the "Token" package. # Bundle the functions in this file together into the "Token" package.
package Token; package Token;
use Date::Format;
# This module requires that its caller have said "require CGI.pl" to import # This module requires that its caller have said "require CGI.pl" to import
# relevant functions from that script and its companion globals.pl. # relevant functions from that script and its companion globals.pl.
################################################################################ ################################################################################
# Constants
################################################################################
# The maximum number of days a token will remain valid.
my $maxtokenage = 3;
################################################################################
# Functions # Functions
################################################################################ ################################################################################
sub IssueEmailChangeToken { sub IssueEmailChangeToken {
my ($userid, $old_email, $new_email) = @_; my ($userid, $old_email, $new_email) = @_;
my $token_ts = time();
my $issuedate = time2str("%Y-%m-%d %H:%M", $token_ts);
# Generate a unique token and insert it into the tokens table. # Generate a unique token and insert it into the tokens table.
# We have to lock the tokens table before generating the token, # We have to lock the tokens table before generating the token,
# since the database must be queried for token uniqueness. # since the database must be queried for token uniqueness.
...@@ -49,13 +61,13 @@ sub IssueEmailChangeToken { ...@@ -49,13 +61,13 @@ sub IssueEmailChangeToken {
my $quoted_emails = &::SqlQuote($old_email . ":" . $new_email); my $quoted_emails = &::SqlQuote($old_email . ":" . $new_email);
&::SendSQL("INSERT INTO tokens ( userid , issuedate , token , &::SendSQL("INSERT INTO tokens ( userid , issuedate , token ,
tokentype , eventdata ) tokentype , eventdata )
VALUES ( $userid , NOW() , $quotedtoken , VALUES ( $userid , '$issuedate' , $quotedtoken ,
'emailold' , $quoted_emails )"); 'emailold' , $quoted_emails )");
my $newtoken = GenerateUniqueToken(); my $newtoken = GenerateUniqueToken();
$quotedtoken = &::SqlQuote($newtoken); $quotedtoken = &::SqlQuote($newtoken);
&::SendSQL("INSERT INTO tokens ( userid , issuedate , token , &::SendSQL("INSERT INTO tokens ( userid , issuedate , token ,
tokentype , eventdata ) tokentype , eventdata )
VALUES ( $userid , NOW() , $quotedtoken , VALUES ( $userid , '$issuedate' , $quotedtoken ,
'emailnew' , $quoted_emails )"); 'emailnew' , $quoted_emails )");
&::SendSQL("UNLOCK TABLES"); &::SendSQL("UNLOCK TABLES");
...@@ -66,6 +78,9 @@ sub IssueEmailChangeToken { ...@@ -66,6 +78,9 @@ sub IssueEmailChangeToken {
$vars->{'oldemailaddress'} = $old_email . &::Param('emailsuffix'); $vars->{'oldemailaddress'} = $old_email . &::Param('emailsuffix');
$vars->{'newemailaddress'} = $new_email . &::Param('emailsuffix'); $vars->{'newemailaddress'} = $new_email . &::Param('emailsuffix');
$vars->{'max_token_age'} = $maxtokenage;
$vars->{'token_ts'} = $token_ts;
$vars->{'token'} = $token; $vars->{'token'} = $token;
$vars->{'emailaddress'} = $old_email . &::Param('emailsuffix'); $vars->{'emailaddress'} = $old_email . &::Param('emailsuffix');
...@@ -102,6 +117,9 @@ sub IssuePasswordToken { ...@@ -102,6 +117,9 @@ sub IssuePasswordToken {
&::SendSQL("SELECT userid FROM profiles WHERE login_name = $quotedloginname"); &::SendSQL("SELECT userid FROM profiles WHERE login_name = $quotedloginname");
my ($userid) = &::FetchSQLData(); my ($userid) = &::FetchSQLData();
my $token_ts = time();
my $issuedate = time2str("%Y-%m-%d %H:%M", $token_ts);
# Generate a unique token and insert it into the tokens table. # Generate a unique token and insert it into the tokens table.
# We have to lock the tokens table before generating the token, # We have to lock the tokens table before generating the token,
# since the database must be queried for token uniqueness. # since the database must be queried for token uniqueness.
...@@ -110,7 +128,7 @@ sub IssuePasswordToken { ...@@ -110,7 +128,7 @@ sub IssuePasswordToken {
my $quotedtoken = &::SqlQuote($token); my $quotedtoken = &::SqlQuote($token);
my $quotedipaddr = &::SqlQuote($::ENV{'REMOTE_ADDR'}); my $quotedipaddr = &::SqlQuote($::ENV{'REMOTE_ADDR'});
&::SendSQL("INSERT INTO tokens ( userid , issuedate , token , tokentype , eventdata ) &::SendSQL("INSERT INTO tokens ( userid , issuedate , token , tokentype , eventdata )
VALUES ( $userid , NOW() , $quotedtoken , 'password' , $quotedipaddr )"); VALUES ( $userid , '$issuedate' , $quotedtoken , 'password' , $quotedipaddr )");
&::SendSQL("UNLOCK TABLES"); &::SendSQL("UNLOCK TABLES");
# Mail the user the token along with instructions for using it. # Mail the user the token along with instructions for using it.
...@@ -121,6 +139,9 @@ sub IssuePasswordToken { ...@@ -121,6 +139,9 @@ sub IssuePasswordToken {
$vars->{'token'} = $token; $vars->{'token'} = $token;
$vars->{'emailaddress'} = $loginname . &::Param('emailsuffix'); $vars->{'emailaddress'} = $loginname . &::Param('emailsuffix');
$vars->{'max_token_age'} = $maxtokenage;
$vars->{'token_ts'} = $token_ts;
my $message = ""; my $message = "";
$template->process("account/password/forgotten-password.txt.tmpl", $template->process("account/password/forgotten-password.txt.tmpl",
$vars, \$message) $vars, \$message)
...@@ -136,7 +157,7 @@ sub IssuePasswordToken { ...@@ -136,7 +157,7 @@ sub IssuePasswordToken {
sub CleanTokenTable { sub CleanTokenTable {
&::SendSQL("LOCK TABLES tokens WRITE"); &::SendSQL("LOCK TABLES tokens WRITE");
&::SendSQL("DELETE FROM tokens &::SendSQL("DELETE FROM tokens
WHERE TO_DAYS(NOW()) - TO_DAYS(issuedate) >= 3"); WHERE TO_DAYS(NOW()) - TO_DAYS(issuedate) >= " . $maxtokenage);
&::SendSQL("UNLOCK TABLES"); &::SendSQL("UNLOCK TABLES");
} }
......
Token.pm
View file @ af7e8c59
...@@ -30,16 +30,28 @@ use strict; ...@@ -30,16 +30,28 @@ use strict;
# Bundle the functions in this file together into the "Token" package. # Bundle the functions in this file together into the "Token" package.
package Token; package Token;
use Date::Format;
# This module requires that its caller have said "require CGI.pl" to import # This module requires that its caller have said "require CGI.pl" to import
# relevant functions from that script and its companion globals.pl. # relevant functions from that script and its companion globals.pl.
################################################################################ ################################################################################
# Constants
################################################################################
# The maximum number of days a token will remain valid.
my $maxtokenage = 3;
################################################################################
# Functions # Functions
################################################################################ ################################################################################
sub IssueEmailChangeToken { sub IssueEmailChangeToken {
my ($userid, $old_email, $new_email) = @_; my ($userid, $old_email, $new_email) = @_;
my $token_ts = time();
my $issuedate = time2str("%Y-%m-%d %H:%M", $token_ts);
# Generate a unique token and insert it into the tokens table. # Generate a unique token and insert it into the tokens table.
# We have to lock the tokens table before generating the token, # We have to lock the tokens table before generating the token,
# since the database must be queried for token uniqueness. # since the database must be queried for token uniqueness.
...@@ -49,13 +61,13 @@ sub IssueEmailChangeToken { ...@@ -49,13 +61,13 @@ sub IssueEmailChangeToken {
my $quoted_emails = &::SqlQuote($old_email . ":" . $new_email); my $quoted_emails = &::SqlQuote($old_email . ":" . $new_email);
&::SendSQL("INSERT INTO tokens ( userid , issuedate , token , &::SendSQL("INSERT INTO tokens ( userid , issuedate , token ,
tokentype , eventdata ) tokentype , eventdata )
VALUES ( $userid , NOW() , $quotedtoken , VALUES ( $userid , '$issuedate' , $quotedtoken ,
'emailold' , $quoted_emails )"); 'emailold' , $quoted_emails )");
my $newtoken = GenerateUniqueToken(); my $newtoken = GenerateUniqueToken();
$quotedtoken = &::SqlQuote($newtoken); $quotedtoken = &::SqlQuote($newtoken);
&::SendSQL("INSERT INTO tokens ( userid , issuedate , token , &::SendSQL("INSERT INTO tokens ( userid , issuedate , token ,
tokentype , eventdata ) tokentype , eventdata )
VALUES ( $userid , NOW() , $quotedtoken , VALUES ( $userid , '$issuedate' , $quotedtoken ,
'emailnew' , $quoted_emails )"); 'emailnew' , $quoted_emails )");
&::SendSQL("UNLOCK TABLES"); &::SendSQL("UNLOCK TABLES");
...@@ -66,6 +78,9 @@ sub IssueEmailChangeToken { ...@@ -66,6 +78,9 @@ sub IssueEmailChangeToken {
$vars->{'oldemailaddress'} = $old_email . &::Param('emailsuffix'); $vars->{'oldemailaddress'} = $old_email . &::Param('emailsuffix');
$vars->{'newemailaddress'} = $new_email . &::Param('emailsuffix'); $vars->{'newemailaddress'} = $new_email . &::Param('emailsuffix');
$vars->{'max_token_age'} = $maxtokenage;
$vars->{'token_ts'} = $token_ts;
$vars->{'token'} = $token; $vars->{'token'} = $token;
$vars->{'emailaddress'} = $old_email . &::Param('emailsuffix'); $vars->{'emailaddress'} = $old_email . &::Param('emailsuffix');
...@@ -102,6 +117,9 @@ sub IssuePasswordToken { ...@@ -102,6 +117,9 @@ sub IssuePasswordToken {
&::SendSQL("SELECT userid FROM profiles WHERE login_name = $quotedloginname"); &::SendSQL("SELECT userid FROM profiles WHERE login_name = $quotedloginname");
my ($userid) = &::FetchSQLData(); my ($userid) = &::FetchSQLData();
my $token_ts = time();
my $issuedate = time2str("%Y-%m-%d %H:%M", $token_ts);
# Generate a unique token and insert it into the tokens table. # Generate a unique token and insert it into the tokens table.
# We have to lock the tokens table before generating the token, # We have to lock the tokens table before generating the token,
# since the database must be queried for token uniqueness. # since the database must be queried for token uniqueness.
...@@ -110,7 +128,7 @@ sub IssuePasswordToken { ...@@ -110,7 +128,7 @@ sub IssuePasswordToken {
my $quotedtoken = &::SqlQuote($token); my $quotedtoken = &::SqlQuote($token);
my $quotedipaddr = &::SqlQuote($::ENV{'REMOTE_ADDR'}); my $quotedipaddr = &::SqlQuote($::ENV{'REMOTE_ADDR'});
&::SendSQL("INSERT INTO tokens ( userid , issuedate , token , tokentype , eventdata ) &::SendSQL("INSERT INTO tokens ( userid , issuedate , token , tokentype , eventdata )
VALUES ( $userid , NOW() , $quotedtoken , 'password' , $quotedipaddr )"); VALUES ( $userid , '$issuedate' , $quotedtoken , 'password' , $quotedipaddr )");
&::SendSQL("UNLOCK TABLES"); &::SendSQL("UNLOCK TABLES");
# Mail the user the token along with instructions for using it. # Mail the user the token along with instructions for using it.
...@@ -121,6 +139,9 @@ sub IssuePasswordToken { ...@@ -121,6 +139,9 @@ sub IssuePasswordToken {
$vars->{'token'} = $token; $vars->{'token'} = $token;
$vars->{'emailaddress'} = $loginname . &::Param('emailsuffix'); $vars->{'emailaddress'} = $loginname . &::Param('emailsuffix');
$vars->{'max_token_age'} = $maxtokenage;
$vars->{'token_ts'} = $token_ts;
my $message = ""; my $message = "";
$template->process("account/password/forgotten-password.txt.tmpl", $template->process("account/password/forgotten-password.txt.tmpl",
$vars, \$message) $vars, \$message)
...@@ -136,7 +157,7 @@ sub IssuePasswordToken { ...@@ -136,7 +157,7 @@ sub IssuePasswordToken {
sub CleanTokenTable { sub CleanTokenTable {
&::SendSQL("LOCK TABLES tokens WRITE"); &::SendSQL("LOCK TABLES tokens WRITE");
&::SendSQL("DELETE FROM tokens &::SendSQL("DELETE FROM tokens
WHERE TO_DAYS(NOW()) - TO_DAYS(issuedate) >= 3"); WHERE TO_DAYS(NOW()) - TO_DAYS(issuedate) >= " . $maxtokenage);
&::SendSQL("UNLOCK TABLES"); &::SendSQL("UNLOCK TABLES");
} }
......
template/en/default/account/email/change-new.txt.tmpl
View file @ af7e8c59
...@@ -18,6 +18,7 @@ ...@@ -18,6 +18,7 @@
# #
# Contributor(s): John Vandenberg <zeroj@null.net> # Contributor(s): John Vandenberg <zeroj@null.net>
#%] #%]
[% expiration_ts = token_ts + (max_token_age * 86400) %]
From: bugzilla-admin-daemon From: bugzilla-admin-daemon
To: [% emailaddress %] To: [% emailaddress %]
Subject: Bugzilla Change Email Address Request Subject: Bugzilla Change Email Address Request
...@@ -34,3 +35,5 @@ this request, visit the following link: ...@@ -34,3 +35,5 @@ this request, visit the following link:
[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER url_quote %] [% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER url_quote %]
If you do nothing, the request will lapse after
[%- max_token_age %] days ([% time2str("%H:%M on the %o of %B, %Y", expiration_ts) %]).
template/en/default/account/email/change-old.txt.tmpl
View file @ af7e8c59
...@@ -18,6 +18,7 @@ ...@@ -18,6 +18,7 @@
# #
# Contributor(s): John Vandenberg <zeroj@null.net> # Contributor(s): John Vandenberg <zeroj@null.net>
#%] #%]
[% expiration_ts = token_ts + (max_token_age * 86400) %]
From: bugzilla-admin-daemon From: bugzilla-admin-daemon
To: [% emailaddress %] To: [% emailaddress %]
Subject: Bugzilla Change Email Address Request Subject: Bugzilla Change Email Address Request
...@@ -33,3 +34,6 @@ this request, visit the following link: ...@@ -33,3 +34,6 @@ this request, visit the following link:
[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER url_quote %] [% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER url_quote %]
If you do nothing, and [% newemailaddress %] confirms this request, the
change will be made permanent after
[%- max_token_age %] days ([% time2str("%H:%M on the %o of %B, %Y", expiration_ts) %]).
template/en/default/account/password/forgotten-password.txt.tmpl
View file @ af7e8c59
...@@ -18,6 +18,7 @@ ...@@ -18,6 +18,7 @@
# #
# Contributor(s): John Vandenberg <zeroj@null.net> # Contributor(s): John Vandenberg <zeroj@null.net>
#%] #%]
[% expiration_ts = token_ts + (max_token_age * 86400) %]
From: bugzilla-admin-daemon From: bugzilla-admin-daemon
To: [% emailaddress %] To: [% emailaddress %]
Subject: Bugzilla Change Password Request Subject: Bugzilla Change Password Request
...@@ -32,3 +33,6 @@ this request, visit the following link: ...@@ -32,3 +33,6 @@ this request, visit the following link:
[%+ Param('urlbase') %]token.cgi?a=cxlpw&t=[% token FILTER url_quote %] [%+ Param('urlbase') %]token.cgi?a=cxlpw&t=[% token FILTER url_quote %]
If you do nothing, the request will lapse after
[%- max_token_age %] days
([% time2str("%H:%M on the %o of %B, %Y", expiration_ts) -%]) or when you log in successfully.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment