From a978c0a1ad216f7004ef88b8a58b9731242155dc Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Mon, 6 Jul 2015 17:35:35 +0100 Subject: Factor out all uses of param()/params. Use a central get_param and get_param_list functions dependent on whether we're after a scalar or a list (almost always a scalar). This prevents any possibility of confusion where param() could return a list, or params->{} an arrayref. --- perllib/FixMyStreet/App/Controller/Auth.pm | 33 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 17 deletions(-) (limited to 'perllib/FixMyStreet/App/Controller/Auth.pm') diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm index fad8941c5..66cf3979c 100644 --- a/perllib/FixMyStreet/App/Controller/Auth.pm +++ b/perllib/FixMyStreet/App/Controller/Auth.pm @@ -28,22 +28,21 @@ Present the user with a sign in / create account page. sub general : Path : Args(0) { my ( $self, $c ) = @_; - my $req = $c->req; - $c->detach( 'redirect_on_signin', [ $req->param('r') ] ) - if $c->user && $req->param('r'); + $c->detach( 'redirect_on_signin', [ $c->get_param('r') ] ) + if $c->user && $c->get_param('r'); # all done unless we have a form posted to us - return unless $req->method eq 'POST'; + return unless $c->req->method eq 'POST'; # decide which action to take - my $has_password = $req->param('sign_in') || $req->param('password_sign_in'); - my $has_email = $req->param('email_sign_in') || $req->param('name') || $req->param('password_register'); + my $has_password = $c->get_param('sign_in') || $c->get_param('password_sign_in'); + my $has_email = $c->get_param('email_sign_in') || $c->get_param('name') || $c->get_param('password_register'); $c->detach('email_sign_in') if $has_email && !$has_password; $c->forward( 'sign_in' ) - && $c->detach( 'redirect_on_signin', [ $req->param('r') ] ); + && $c->detach( 'redirect_on_signin', [ $c->get_param('r') ] ); } @@ -56,9 +55,9 @@ Allow the user to sign in with a username and a password. sub sign_in : Private { my ( $self, $c, $email ) = @_; - $email ||= $c->req->param('email') || ''; - my $password = $c->req->param('password_sign_in') || ''; - my $remember_me = $c->req->param('remember_me') || 0; + $email ||= $c->get_param('email') || ''; + my $password = $c->get_param('password_sign_in') || ''; + my $remember_me = $c->get_param('remember_me') || 0; # Sign out just in case $c->logout(); @@ -95,7 +94,7 @@ sub email_sign_in : Private { my ( $self, $c ) = @_; # check that the email is valid - otherwise flag an error - my $raw_email = lc( $c->req->param('email') || '' ); + my $raw_email = lc( $c->get_param('email') || '' ); my $email_checker = Email::Valid->new( -mxcheck => 1, @@ -112,8 +111,8 @@ sub email_sign_in : Private { } my $user_params = {}; - $user_params->{password} = $c->req->param('password_register') - if $c->req->param('password_register'); + $user_params->{password} = $c->get_param('password_register') + if $c->get_param('password_register'); my $user = $c->model('DB::User')->new( $user_params ); my $token_obj = $c->model('DB::Token') # @@ -122,8 +121,8 @@ sub email_sign_in : Private { scope => 'email_sign_in', data => { email => $good_email, - r => $c->req->param('r'), - name => $c->req->param('name'), + r => $c->get_param('r'), + name => $c->get_param('name'), password => $user->password, } } @@ -221,8 +220,8 @@ sub change_password : Local { return unless $c->req->method eq 'POST'; # get the passwords - my $new = $c->req->param('new_password') // ''; - my $confirm = $c->req->param('confirm') // ''; + my $new = $c->get_param('new_password') // ''; + my $confirm = $c->get_param('confirm') // ''; # check for errors my $password_error = -- cgit v1.2.3 From 2ac123a2e0e4594099a11057647ffc190219993d Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Thu, 9 Jul 2015 20:33:51 +0100 Subject: Alter token logging in and timeout behaviour. Restrict email_sign_in token to one day, unused confirmation tokens to one month. Used tokens will redirect to the created thing but not log in; don't log in with alert links (unsubscribe link never expires, reply link will still show "reopen" tickbox). --- perllib/FixMyStreet/App/Controller/Auth.pm | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'perllib/FixMyStreet/App/Controller/Auth.pm') diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm index 66cf3979c..63bf91ff5 100644 --- a/perllib/FixMyStreet/App/Controller/Auth.pm +++ b/perllib/FixMyStreet/App/Controller/Auth.pm @@ -155,6 +155,11 @@ sub token : Path('/M') : Args(1) { return; } + if ( $token_obj->created < DateTime->now->subtract( days => 1 ) ) { + $c->stash->{token_not_found} = 1; + return; + } + # Sign out in case we are another user $c->logout(); -- cgit v1.2.3