summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Friesel <derf@finalrewind.org>2019-03-18 18:55:39 +0100
committerDaniel Friesel <derf@finalrewind.org>2019-03-18 18:55:39 +0100
commit56342f21d27295e98327be4b49e54205b7a02e13 (patch)
tree0566f1fddeea4451194042bef651e565da538fed
parent07b3ea19a6ee820da9bf3b9ee5f9504e05f54356 (diff)
demand a valid password for account deletion
-rwxr-xr-xindex.pl6
-rw-r--r--templates/account.html.ep44
2 files changed, 42 insertions, 8 deletions
diff --git a/index.pl b/index.pl
index 1af79a4..06318fa 100755
--- a/index.pl
+++ b/index.pl
@@ -1479,8 +1479,14 @@ post '/delete' => sub {
$self->render( 'account', invalid => 'csrf' );
return;
}
+
my $now = DateTime->now( time_zone => 'Europe/Berlin' )->epoch;
+
if ( $self->param('action') eq 'delete' ) {
+ if (not $self->authenticate($self->current_user->{name}, $self->param('password'))) {
+ $self->render( 'account', invalid => 'password' );
+ return;
+ }
$self->app->mark_for_deletion_query->execute( $now,
$self->current_user->{id} );
}
diff --git a/templates/account.html.ep b/templates/account.html.ep
index 4917961..17b5e48 100644
--- a/templates/account.html.ep
+++ b/templates/account.html.ep
@@ -1,3 +1,30 @@
+% if (my $invalid = stash('invalid')) {
+ <div class="row">
+ <div class="col s12">
+ <div class="card red darken-4">
+ <div class="card-content white-text">
+ % if ($invalid eq 'csrf') {
+ <span class="card-title">Ungültiger CSRF-Token</span>
+ <p>Sind Cookies aktiviert? Ansonsten könnte es sich um einen
+ Fall von <a
+ href="https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery">CSRF</a>
+ handeln.</p>
+ % }
+ % elsif ($invalid eq 'password') {
+ <span class="card-title">Ungültiges Passwort</span>
+ <p>Aus Sicherheitsgründen kann der Account nur nach Passworteingabe
+ gelöscht werden.</p>
+ % }
+ % else {
+ <span class="card-title">Unbekannter Fehler</span>
+ <p>„<%= $invalid %>“</p>
+ % }
+ </div>
+ </div>
+ </div>
+ </div>
+% }
+
<h1>Account</h1>
% my $acc = current_user();
<div class="row">
@@ -192,17 +219,18 @@
</div>
</div>
<div class="row">
- <div class="col s1 m1 l3">
- </div>
- <div class="col s10 m10 l6 center-align">
- %= form_for 'delete' => begin
+ %= form_for 'delete' => begin
+ <div class="input-field col s12 m12 l8">
+ <i class="material-icons prefix">lock</i>
+ %= password_field 'password', id => 'password', class => 'validate', required => undef, autocomplete => 'current-password'
+ <label for="password">Passwort</label>
+ </div>
+ <div class="input-field col s12 m12 l4 center-align">
%= csrf_field
<button class="btn waves-effect waves-light red" type="submit" name="action" value="delete">
Account löschen
</button>
- %= end
- </div>
- <div class="col s1 m1 l3">
- </div>
+ </div>
+ %= end
</div>
% }