From a6b023a816202a91c306fd897fbbb1abc06d72e7 Mon Sep 17 00:00:00 2001
From: dklawren <dklawren@users.noreply.github.com>
Date: Tue, 24 Sep 2019 09:50:54 -0400
Subject: [PATCH] Bug 1549262 - Lack of password confirmation when deleting
 your account.

---
 template/en/default/account/prefs/account.html.tmpl | 4 ++++
 userprefs.cgi                                       | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/template/en/default/account/prefs/account.html.tmpl b/template/en/default/account/prefs/account.html.tmpl
index db8633751..8f9bf6a0e 100644
--- a/template/en/default/account/prefs/account.html.tmpl
+++ b/template/en/default/account/prefs/account.html.tmpl
@@ -149,6 +149,10 @@
             however, your email address and name will be removed in most locations.
             We are not able to remove your details that are part of comment text.
           </p>
+          <p>
+            <em>Warning:</em> You will need to enter your current password above to
+            confirm this action.
+          </p>
           <p>
             <input type="checkbox" id="account-disable-confirm">
             I acknowledge that my account will not be functional after it has been
diff --git a/userprefs.cgi b/userprefs.cgi
index e2127fe43..0462f5eed 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -198,6 +198,15 @@ sub MfaAccount {
 
 sub DisableAccount {
   my $user = Bugzilla->user;
+  my $cgi  = Bugzilla->cgi;
+
+  my $oldpassword   = $cgi->param('old_password');
+  my $oldcryptedpwd = $user->cryptpassword;
+  $oldcryptedpwd || ThrowCodeError("unable_to_retrieve_password");
+
+  if (bz_crypt($oldpassword, $oldcryptedpwd) ne $oldcryptedpwd) {
+    ThrowUserError("old_password_incorrect");
+  }
 
   my $new_login = 'u' . $user->id . '@disabled.tld';
 
-- 
2.47.3