Bug 1402982 - Can't log out during mfa-lockout or password-reset state

author Dylan William Hardison <dylan@hardison.net>

Tue, 3 Oct 2017 13:27:34 +0000 (09:27 -0400)

committer GitHub <noreply@github.com>

Tue, 3 Oct 2017 13:27:34 +0000 (09:27 -0400)
author Dylan William Hardison <dylan@hardison.net>
Tue, 3 Oct 2017 13:27:34 +0000 (09:27 -0400)
committer GitHub <noreply@github.com>
Tue, 3 Oct 2017 13:27:34 +0000 (09:27 -0400)
diff --git a/Bugzilla.pm b/Bugzilla.pm

index a539616e9357c06def17e41b85ef88758ee33f80..fba1a41722be93570f1219a1e18f24526291336c 100644 (file)
--- a/Bugzilla.pm
+++ b/Bugzilla.pm
@@ -384,8 +384,10 @@ sub login {
  
      # Check if a password reset is required
      my $cgi = Bugzilla->cgi;
-    if ( $authenticated_user->password_change_required ) {
+    my $script_name = $cgi->script_name;
+    my $do_logout   = $cgi->param('logout');
  
+    if ( $authenticated_user->password_change_required ) {
          # We cannot show the password reset UI for API calls, so treat those as
          # a disabled account.
          if ( i_am_webservice() ) {
@@ -395,7 +397,7 @@ sub login {
          # only allow the reset-password and token pages to handle requests
          # (tokens handles the 'forgot password' process)
          # otherwise redirect user to the reset-password page.
-        if ( $ENV{SCRIPT_NAME} !~ m#/(?:reset_password|token)\.cgi$# ) {
+        if ( $script_name !~ m#/(?:reset_password|token)\.cgi$# && !$do_logout ) {
              my $self_url     = trim($cgi->self_url);
              my $sig_type     = 'prev_url:' . $authenticated_user->id;
              my $self_url_sig = issue_hash_sig($sig_type, $self_url);
@@ -408,18 +410,18 @@ sub login {
      elsif ( !i_am_webservice() && $authenticated_user->in_mfa_group && !$authenticated_user->mfa ) {
  
          # decide if the user needs a warning or to be blocked.
-        my $date         = $authenticated_user->mfa_required_date('UTC');
-        my $grace_period = Bugzilla->params->{mfa_group_grace_period};
-        my $expired      = defined $date && $date < DateTime->now;
-        my $on_mfa_page  = $cgi->script_name eq '/userprefs.cgi' && $cgi->param('tab') eq 'mfa';
-        my $on_token_page = $cgi->script_name eq '/token.cgi';
+        my $date          = $authenticated_user->mfa_required_date('UTC');
+        my $grace_period  = Bugzilla->params->{mfa_group_grace_period};
+        my $expired       = defined $date && $date < DateTime->now;
+        my $on_mfa_page   = $script_name eq '/userprefs.cgi' && $cgi->param('tab') eq 'mfa';
+        my $on_token_page = $script_name eq '/token.cgi';
  
          Bugzilla->request_cache->{mfa_warning} = 1;
          Bugzilla->request_cache->{mfa_grace_period_expired} = $expired;
          Bugzilla->request_cache->{on_mfa_page} = $on_mfa_page;
  
          if ( $grace_period == 0 || $expired) {
-            if ( !( $on_mfa_page || $on_token_page ) ) {
+            if ( !( $on_mfa_page || $on_token_page || $do_logout ) ) {
                  print Bugzilla->cgi->redirect("userprefs.cgi?tab=mfa");
                  exit;
              }
author	Dylan William Hardison <dylan@hardison.net>
	Tue, 3 Oct 2017 13:27:34 +0000 (09:27 -0400)
committer	GitHub <noreply@github.com>
	Tue, 3 Oct 2017 13:27:34 +0000 (09:27 -0400)