Bug 250897: Enforce a 10 minute waiting period between password reset attempts to...

 submitted multiple times.
Patch by Joel Peshkin <bugreport@peshkin.net>
r=kiko, a=justdave

diff --git a/Token.pm b/Token.pm
index 78eef9335fda94666444a6193d5d2cda275f1f8f..9823124812c16f40a67ed3fe4e43cc289f4afcce 100644 (file)
--- a/Token.pm
+++ b/Token.pm
@@ -114,11 +114,19 @@ sub IssuePasswordToken {
 
     # Retrieve the user's ID from the database.
     my $quotedloginname = &::SqlQuote($loginname);
-    &::SendSQL("SELECT userid FROM profiles WHERE login_name = $quotedloginname");
-    my ($userid) = &::FetchSQLData();
+    &::SendSQL("SELECT profiles.userid, tokens.issuedate FROM profiles 
+                    LEFT JOIN tokens
+                    ON tokens.userid = profiles.userid
+                    AND tokens.tokentype = 'password'
+                    AND tokens.issuedate > DATE_SUB(NOW(), INTERVAL 10 MINUTE)
+                    WHERE login_name = $quotedloginname");
+    my ($userid, $toosoon) = &::FetchSQLData();
+
+    if ($toosoon) {
+        &::DisplayError('Too Soon For Another Password Token') && exit;
+    };
 
     my $token_ts = time();
-    my $issuedate = time2str("%Y-%m-%d %H:%M", $token_ts);
 
     # Generate a unique token and insert it into the tokens table.
     # We have to lock the tokens table before generating the token, 
@@ -128,7 +136,7 @@ sub IssuePasswordToken {
     my $quotedtoken = &::SqlQuote($token);
     my $quotedipaddr = &::SqlQuote($::ENV{'REMOTE_ADDR'});
     &::SendSQL("INSERT INTO tokens ( userid , issuedate , token , tokentype , eventdata )
-                VALUES      ( $userid , '$issuedate' , $quotedtoken , 'password' , $quotedipaddr )");
+                VALUES      ( $userid , NOW() , $quotedtoken , 'password' , $quotedipaddr )");
     &::SendSQL("UNLOCK TABLES");
 
     # Mail the user the token along with instructions for using it.