Bug 355596: Your password should be requested to confirm your email address change

r/a=LpSolit

Bug 355596: Your password should be requested to confirm your email address change
ef279711 · Koosha Khajeh Moogahi · Frédéric Buclin · 022510ad · ef279711 · ef279711
Commit ef279711 authored May 28, 2012 by Koosha Khajeh Moogahi Committed by Frédéric Buclin May 28, 2012
Showing with 16 additions and 10 deletions

confirm.html.tmpl template/en/default/account/email/confirm.html.tmpl +3 -3

user-error.html.tmpl template/en/default/global/user-error.html.tmpl +2 -2

token.cgi token.cgi +11 -5

No files found.
--- a/template/en/default/account/email/confirm.html.tmpl
+++ b/template/en/default/account/email/confirm.html.tmpl
@@ -14,7 +14,7 @@
 [% PROCESS global/header.html.tmpl %]

 <p>
-  To change your email address, please enter the old email address:
+  To change your email address, please enter your current password:
 </p>

 <form method="post" action="token.cgi">
@@ -22,8 +22,8 @@
  <input type="hidden" name="a" value="chgem">
  <table>
    <tr>
-      <th align="right">Old Email Address:</th>
-      <td><input type="text" name="email" size="36"></td>
+      <th align="right">Password:</th>
+      <td><input type="password" name="password" size="36"></td>
    </tr>
    <tr>
      <th align="right">&nbsp;</th>

--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1299,8 +1299,8 @@
    [% END %]

  [% ELSIF error == "old_password_incorrect" %]
-    [% title = "Incorrect Old Password" %]
-    You did not enter your old password correctly.
+    [% title = "Incorrect Password" %]
+    You did not enter your current password correctly.

  [% ELSIF error == "old_password_required" %]
    [% title = "Old Password Required" %]

--- a/token.cgi
+++ b/token.cgi
@@ -195,10 +195,18 @@ sub changeEmail {
    my $dbh = Bugzilla->dbh;
    my ($old_email, $new_email) = split(/:/,$eventdata);

-    # Check the user entered the correct old email address
-    if (lc($cgi->param('email')) ne lc($old_email)) {
-        ThrowUserError("email_confirmation_failed");
+    $dbh->bz_start_transaction();
+    
+    my $user = Bugzilla::User->check({ id => $userid });
+    my $realpassword = $user->cryptpassword;
+    my $cgipassword  = $cgi->param('password');
+
+    # Make sure the user who wants to change the email address
+    # is the real account owner.
+    if (bz_crypt($cgipassword, $realpassword) ne $realpassword) {
+        ThrowUserError("old_password_incorrect");
    }
+
    # The new email address should be available as this was 
    # confirmed initially so cancel token if it is not still available
    if (! is_available_username($new_email,$old_email)) {
@@ -207,8 +215,6 @@ sub changeEmail {
        ThrowUserError("account_exists", { email => $new_email } );
    } 

-    $dbh->bz_start_transaction();
-    my $user = Bugzilla::User->check({ id => $userid });
    # Update the user's login name in the profiles table.
    $user->set_login($new_email);
    $user->update({ keep_session => 1, keep_tokens => 1 });