From 56342f21d27295e98327be4b49e54205b7a02e13 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Mon, 18 Mar 2019 18:55:39 +0100 Subject: [PATCH] demand a valid password for account deletion --- index.pl | 6 ++++++ templates/account.html.ep | 44 ++++++++++++++++++++++++++++++++------- 2 files changed, 42 insertions(+), 8 deletions(-) diff --git a/index.pl b/index.pl index 1af79a4..06318fa 100755 --- a/index.pl +++ b/index.pl @@ -1479,8 +1479,14 @@ post '/delete' => sub { $self->render( 'account', invalid => 'csrf' ); return; } + my $now = DateTime->now( time_zone => 'Europe/Berlin' )->epoch; + if ( $self->param('action') eq 'delete' ) { + if (not $self->authenticate($self->current_user->{name}, $self->param('password'))) { + $self->render( 'account', invalid => 'password' ); + return; + } $self->app->mark_for_deletion_query->execute( $now, $self->current_user->{id} ); } diff --git a/templates/account.html.ep b/templates/account.html.ep index 4917961..17b5e48 100644 --- a/templates/account.html.ep +++ b/templates/account.html.ep @@ -1,3 +1,30 @@ +% if (my $invalid = stash('invalid')) { +
+
+
+
+ % if ($invalid eq 'csrf') { + Ungültiger CSRF-Token +

Sind Cookies aktiviert? Ansonsten könnte es sich um einen + Fall von CSRF + handeln.

+ % } + % elsif ($invalid eq 'password') { + Ungültiges Passwort +

Aus Sicherheitsgründen kann der Account nur nach Passworteingabe + gelöscht werden.

+ % } + % else { + Unbekannter Fehler +

„<%= $invalid %>“

+ % } +
+
+
+
+% } +

Account

% my $acc = current_user();
@@ -192,17 +219,18 @@
-
-
-
- %= form_for 'delete' => begin + %= form_for 'delete' => begin +
+ lock + %= password_field 'password', id => 'password', class => 'validate', required => undef, autocomplete => 'current-password' + +
+
%= csrf_field - %= end -
-
-
+
+ %= end
% }