Bug 1394915- Protect against 2FA by-pass in reset_password.cgi

diff --git a/reset_password.cgi b/reset_password.cgi
index fb095c27d59fb7e3ed016d179715bc69452eb844..3b0e3684949f24430e94b9349d566c463a8ff997 100755 (executable)
--- a/reset_password.cgi
+++ b/reset_password.cgi
@@ -25,6 +25,8 @@ my $user = Bugzilla->login(LOGIN_REQUIRED);
 my $template = Bugzilla->template;
 my $dbh = Bugzilla->dbh;
 
+ThrowUserError('reset_password_denied') unless $user->password_change_required;
+
 if ($cgi->param('do_save')) {
     my $token = $cgi->param('token');
     check_token_data($token, 'reset_password');

diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index f9e019cb5aae2efbd82f911479472ee35e90a25e..1aa92ead0fbc5e1612f16e70ba6a117df88f8643 100644 (file)
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1399,6 +1399,10 @@
     [% title = "Password Unchanged" %]
     Your new password cannot be the same as your old password.
 
+  [% ELSIF error == "reset_password_denied" %]
+    [% title = "Reset Password Denied" %]
+    You cannot reset your password without administrative permission. 
+
   [% ELSIF error == "no_axes_defined" %]
     [% title = "No Axes Defined" %]
     [% docslinks = {'reporting.html' => 'Reporting'} %]