Update user object before attempting sign-in.v2.3.5

This prevents leaking of user account phone number on a failed login attempt.
author: Matthew Somerville <matthew-github@dracos.co.uk> 2018-09-06 17:42:54 +0100
committer: Matthew Somerville <matthew-github@dracos.co.uk> 2018-09-06 17:42:54 +0100
commit: aaa0887eca2c030ba56376888934ee1e29b26932 (patch)
tree: e611e4ec6afed9c27f9df3abe371c22e7d66da07 /perllib/FixMyStreet
parent: 80cf37ef3f52d5b466c13c7bddfddd62f6d4f8fc (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm
index b5e5c5738..6cbf2291f 100644
--- a/perllib/FixMyStreet/App/Controller/Report/New.pm
+++ b/perllib/FixMyStreet/App/Controller/Report/New.pm
@@ -805,6 +805,8 @@ sub process_user : Private {
 
     $c->stash->{phone_may_be_mobile} = $type eq 'phone' && $parsed->{may_be_mobile};
 
+    $c->forward('update_user', [ \%params ]);
+
     # The user is trying to sign in. We only care about username from the params.
     if ( $c->get_param('submit_sign_in') || $c->get_param('password_sign_in') ) {
         $c->stash->{tfa_data} = {
@@ -825,7 +827,6 @@ sub process_user : Private {
         return 1;
     }
 
-    $c->forward('update_user', [ \%params ]);
     if ($params{password_register}) {
         $c->forward('/auth/test_password', [ $params{password_register} ]);
         $report->user->password($params{password_register});
author	Matthew Somerville <matthew-github@dracos.co.uk>	2018-09-06 17:42:54 +0100
committer	Matthew Somerville <matthew-github@dracos.co.uk>	2018-09-06 17:42:54 +0100
commit	aaa0887eca2c030ba56376888934ee1e29b26932 (patch)
tree	e611e4ec6afed9c27f9df3abe371c22e7d66da07 /perllib/FixMyStreet
parent	80cf37ef3f52d5b466c13c7bddfddd62f6d4f8fc (diff)