From: Frédéric Buclin <LpSolit@gmail.com>
Date: Mon, 29 Mar 2010 21:43:35 +0000 (+0200)
Subject: Bug 553693: A new logincookie is created when changing the password or email address... 
X-Git-Tag: bugzilla-3.6~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a367d693b9b9ede32da2ee3bd5b8de4e246bff1;p=thirdparty%2Fbugzilla.git

Bug 553693: A new logincookie is created when changing the password or email address instead of reusing the existing one
r/a=mkanat
---

diff --git a/template/en/default/account/prefs/account.html.tmpl b/template/en/default/account/prefs/account.html.tmpl
index 15f0702a7f..0457ff892e 100644
--- a/template/en/default/account/prefs/account.html.tmpl
+++ b/template/en/default/account/prefs/account.html.tmpl
@@ -33,9 +33,8 @@
   <tr>
     <th align="right">Password:</th>
     <td>
-      <input type="hidden" name="Bugzilla_login" 
-             value="[% user.login FILTER html %]">
-      <input type="password" name="Bugzilla_password">
+      <input type="hidden" name="old_login" value="[% user.login FILTER html %]">
+      <input type="password" name="old_password">
     </td>
   </tr>              
   <tr>
diff --git a/userprefs.cgi b/userprefs.cgi
index e6ee8fb8a0..d844645da1 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -79,31 +79,28 @@ sub SaveAccount {
     my $dbh = Bugzilla->dbh;
     my $user = Bugzilla->user;
 
+    my $oldpassword = $cgi->param('old_password');
     my $pwd1 = $cgi->param('new_password1');
     my $pwd2 = $cgi->param('new_password2');
 
+    my $old_login_name = $cgi->param('old_login');
+    my $new_login_name = trim($cgi->param('new_login_name'));
+
     if ($user->authorizer->can_change_password
-        && ($cgi->param('Bugzilla_password') ne "" || $pwd1 ne "" || $pwd2 ne ""))
+        && ($oldpassword ne "" || $pwd1 ne "" || $pwd2 ne ""))
     {
-        my ($oldcryptedpwd) = $dbh->selectrow_array(
-                        q{SELECT cryptpassword FROM profiles WHERE userid = ?},
-                        undef, $user->id);
+        my $oldcryptedpwd = $user->cryptpassword;
         $oldcryptedpwd || ThrowCodeError("unable_to_retrieve_password");
 
-        my $oldpassword = $cgi->param('Bugzilla_password');
-
-        if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd) 
-        {
+        if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd) {
             ThrowUserError("old_password_incorrect");
         }
 
-        if ($pwd1 ne "" || $pwd2 ne "")
-        {
-            $cgi->param('new_password1')
-              || ThrowUserError("new_password_missing");
+        if ($pwd1 ne "" || $pwd2 ne "") {
+            $pwd1 || ThrowUserError("new_password_missing");
             validate_password($pwd1, $pwd2);
 
-            if ($cgi->param('Bugzilla_password') ne $pwd1) {
+            if ($oldpassword ne $pwd1) {
                 my $cryptedpassword = bz_crypt($pwd1);
                 $dbh->do(q{UPDATE profiles
                               SET cryptpassword = ?
@@ -118,14 +115,10 @@ sub SaveAccount {
 
     if ($user->authorizer->can_change_email
         && Bugzilla->params->{"allowemailchange"}
-        && $cgi->param('new_login_name'))
+        && $new_login_name)
     {
-        my $old_login_name = $cgi->param('Bugzilla_login');
-        my $new_login_name = trim($cgi->param('new_login_name'));
-
-        if($old_login_name ne $new_login_name) {
-            $cgi->param('Bugzilla_password') 
-              || ThrowUserError("old_password_required");
+        if ($old_login_name ne $new_login_name) {
+            $oldpassword || ThrowUserError("old_password_required");
 
             # Block multiple email changes for the same user.
             if (Bugzilla::Token::HasEmailChangeToken($user->id)) {
@@ -497,16 +490,19 @@ sub SaveSavedSearches {
 
 my $cgi = Bugzilla->cgi;
 
-# This script needs direct access to the username and password CGI variables,
-# so we save them before their removal in Bugzilla->login, and delete them 
-# before login in case we might be in a sudo session.
-my $bugzilla_login    = $cgi->param('Bugzilla_login');
-my $bugzilla_password = $cgi->param('Bugzilla_password');
+# Delete credentials before logging in in case we are in a sudo session.
 $cgi->delete('Bugzilla_login', 'Bugzilla_password') if ($cgi->cookie('sudo'));
+$cgi->delete('GoAheadAndLogIn');
+
+# First try to get credentials from cookies.
+Bugzilla->login(LOGIN_OPTIONAL);
 
+if (!Bugzilla->user->id) {
+    # Use credentials given in the form if login cookies are not available.
+    $cgi->param('Bugzilla_login', $cgi->param('old_login'));
+    $cgi->param('Bugzilla_password', $cgi->param('old_password'));
+}
 Bugzilla->login(LOGIN_REQUIRED);
-$cgi->param('Bugzilla_login', $bugzilla_login);
-$cgi->param('Bugzilla_password', $bugzilla_password);
 
 $vars->{'changes_saved'} = $cgi->param('dosave');