Bug 349337: The time between two successive token requests should be a constant

r/a=LpSolit

diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index 279405c748b4e17269fa7bb13d2d9cc261a3d0eb..e4d32d4357657495215386777182810e7bec0353 100644 (file)
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -140,6 +140,7 @@ use Memoize;
     MAX_SUDO_TOKEN_AGE
     MAX_LOGIN_ATTEMPTS
     LOGIN_LOCKOUT_INTERVAL
+    ACCOUNT_CHANGE_INTERVAL
     MAX_STS_AGE
 
     SAFE_PROTOCOLS
@@ -409,6 +410,10 @@ use constant MAX_LOGIN_ATTEMPTS => 5;
 # account is locked.
 use constant LOGIN_LOCKOUT_INTERVAL => 30;
 
+# The time in minutes a user must wait before he can request another email to
+# create a new account or change his password.
+use constant ACCOUNT_CHANGE_INTERVAL => 10;
+
 # The maximum number of seconds the Strict-Transport-Security header
 # will remain valid. Default is one week.
 use constant MAX_STS_AGE => 604800;

diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index a9d9b3bd8ac9473d8c2be2f41c050c7631762681..feb707e705da8dccd5f9fb525cc1e13ca28ea106 100644 (file)
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -46,7 +46,7 @@ sub issue_new_user_account_token {
     # Is there already a pending request for this login name? If yes, do not throw
     # an error because the user may have lost his email with the token inside.
     # But to prevent using this way to mailbomb an email address, make sure
-    # the last request is at least 10 minutes old before sending a new email.
+    # the last request is old enough before sending a new email (default: 10 minutes).
 
     my $pending_requests = $dbh->selectrow_array(
         'SELECT COUNT(*)
@@ -54,7 +54,7 @@ sub issue_new_user_account_token {
           WHERE tokentype = ?
                 AND ' . $dbh->sql_istrcmp('eventdata', '?') . '
                 AND issuedate > '
-                    . $dbh->sql_date_math('NOW()', '-', 10, 'MINUTE'),
+                    . $dbh->sql_date_math('NOW()', '-', ACCOUNT_CHANGE_INTERVAL, 'MINUTE'),
         undef, ('account', $login_name));
 
     ThrowUserError('too_soon_for_new_token', {'type' => 'account'}) if $pending_requests;
@@ -122,7 +122,7 @@ sub IssuePasswordToken {
         'SELECT 1 FROM tokens
           WHERE userid = ? AND tokentype = ?
                 AND issuedate > ' 
-                    . $dbh->sql_date_math('NOW()', '-', 10, 'MINUTE'),
+                    . $dbh->sql_date_math('NOW()', '-', ACCOUNT_CHANGE_INTERVAL, 'MINUTE'),
         undef, ($user->id, 'password'));
 
     ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon;

diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 57fa180e70d335396f7f4d9676485700836a6dde..21fb68141259e280c42a33badf9a70fd7cd7224c 100644 (file)
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1618,7 +1618,8 @@
     [% ELSIF type == "account" %]
       an account
     [% END %]
-    token too recently to request another. Please wait a while and try again.
+    token too recently to request another. 
+    Please wait [% constants.ACCOUNT_CHANGE_INTERVAL %] minutes then try again.
 
   [% ELSIF error == "unknown_action" %]
     [% IF action %]