From e8a22b94cb20d17c0aa61a4d0991e6605e1ca50a Mon Sep 17 00:00:00 2001
From: IKEDA Soji <ikeda@conversion.co.jp>
Date: Thu, 14 Jan 2021 17:58:42 +0900
Subject: [PATCH] Add confirmation to requestpasswd action to prevent spamming

---
 default/web_tt2/confirm_action.tt2 | 17 +++++++++++++++++
 default/web_tt2/renewpasswd.tt2    |  5 +++--
 src/cgi/wwsympa.fcgi.in            | 16 ++++++++++++++--
 3 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/default/web_tt2/confirm_action.tt2 b/default/web_tt2/confirm_action.tt2
index a8fc74a90..e6bd1a995 100644
--- a/default/web_tt2/confirm_action.tt2
+++ b/default/web_tt2/confirm_action.tt2
@@ -327,6 +327,20 @@
             [%|loc(template_name)%]Do you really want to remove %1?[%END%]
         </strong>
     </p>
+[%~ ELSIF confirm_action == 'requestpasswd' ~%]
+    <h2>
+        <i class="fa fa-check-circle"></i>
+        [% IF reason == 'firstpasswd' %]
+            [%|loc%]Request first password[%END%]
+        [% ELSE %]
+            [%|loc%]Request new password[%END%]
+        [% END %]
+    </h2>
+    <p>
+        <strong>
+            [%|loc%]Do you really want to request password?[%END%]
+        </strong>
+    </p>
 [%~ ELSIF confirm_action == 'rt_delete' ~%]
     <h2>
         <i class="fa fa-check-circle"></i>
@@ -512,6 +526,9 @@
         <input type="hidden" name="scope" value="[% scope %]" />
         <input type="hidden" name="template_name" value="[% template_name %]" />
         <input type="hidden" name="tpl_lang" value="[% tpl_lang %]" />
+    [%~ ELSIF confirm_action == 'requestpasswd' ~%]
+        <input type="hidden" name="email" value="[% email %]" />
+        <input type="hidden" name="reason" value="[% reason %]" />
     [%~ ELSIF confirm_action == 'rt_delete' ~%]
         <input type="hidden" name="message_template" value="[% message_template %]" />
     [%~ ELSIF confirm_action == 'signoff' ~%]
diff --git a/default/web_tt2/renewpasswd.tt2 b/default/web_tt2/renewpasswd.tt2
index 621eb130d..7fb5b9b63 100644
--- a/default/web_tt2/renewpasswd.tt2
+++ b/default/web_tt2/renewpasswd.tt2
@@ -31,7 +31,7 @@
         [%|loc%]You will receive an email that will allow you to choose your password.[%END%]
     </p>
 [% ELSE %]
-    [% IF requestpasswd_context == 'firstpasswd' %]
+    [% IF reason == 'firstpasswd' %]
         <p>
             [%|loc%]Please enter your email address to begin the registration process.[%END%]
         </p>
@@ -47,6 +47,7 @@
             <input type="hidden" name="previous_action" value="[% previous_action %]" />
             <input type="hidden" name="previous_list" value="[% previous_list %]" />
             <input type="hidden" name="action" value="requestpasswd" />
+            <input type="hidden" name="reason" value="[% reason %]" />
 
             <div class="row">
                 <div class="columns">
@@ -57,7 +58,7 @@
             <div class="row">
                 <div class="columns">
                     <input class="MainMenuLinks" type="submit" name="action_requestpasswd"
-                           [% IF requestpasswd_context == 'firstpasswd' %]
+                           [% IF reason == 'firstpasswd' %]
                                value="[%|loc%]Request first password[%END%]" />
                            [% ELSE %]
                                value="[%|loc%]Request new password[%END%]" />
diff --git a/src/cgi/wwsympa.fcgi.in b/src/cgi/wwsympa.fcgi.in
index 42e22867e..5eef7e654 100644
--- a/src/cgi/wwsympa.fcgi.in
+++ b/src/cgi/wwsympa.fcgi.in
@@ -4052,7 +4052,7 @@ sub sendssopasswd {
 
 sub do_firstpasswd {
     wwslog('info', '(%s)', $in{'email'});
-    $param->{'requestpasswd_context'} = 'firstpasswd';
+    $param->{'reason'} = 'firstpasswd';
     return 'renewpasswd';
 }
 ## send a ticket for choosing a new password
@@ -4103,9 +4103,21 @@ sub do_renewpasswd {
 ####################################################
 sub do_requestpasswd {
     wwslog('info', '(%s)', $in{'email'});
-    my ($passwd, $user);
+
+    my $email  = $in{'email'};
+    my $reason = $in{'reason'};
 
     $param->{'account_creation'} = 1;
+    $param->{'email'}            = $email;
+    $param->{'reason'}           = $reason;
+
+    # Action confirmed?
+    my $next_action = $session->confirm_action(
+        $in{'action'}, $in{'response_action'},
+        arg             => join(',', $email, $reason),
+        previous_action => ($in{'previous_action'} || ($reason ? 'firstpasswd' : 'renewpasswd'))
+    );
+    return $next_action unless $next_action eq '1';
 
     my $url_redirect;
     if ($url_redirect = is_ldap_user($in{'email'})) {