From 4d52d7524021378a63a46331926e42d1bca54cce Mon Sep 17 00:00:00 2001
From: =?utf8?q?Jan=20Kr=C3=BCger?= <jk@jk.gs>
Date: Wed, 30 Nov 2011 05:33:53 +0100
Subject: [PATCH] edituser.cgi: do not display SSH keys before auth code has
 been validated
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Previously, we displayed the SSH key editing form even if the given auth
code wasn't valid. This is a (not very critical, but still...) breach of
information that should be eliminated. Instead, if the auth code is
invalid, merely display the auth form again.

Signed-off-by: Jan Krüger <jk@jk.gs>
---
 cgi/edituser.cgi | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/cgi/edituser.cgi b/cgi/edituser.cgi
index 52b09fa..6f51bb8 100755
--- a/cgi/edituser.cgi
+++ b/cgi/edituser.cgi
@@ -89,14 +89,11 @@ EOT
 
 		my $fields = '';
 		my $keys = $cgi->param('keys') || '';
-		if ($keys) {
-			$fields = "<p>Public SSH key(s): <textarea wrap=\"off\" name=\"keys\" cols=\"80\" rows=\"5\">$keys</textarea></p>\n";
-		}
 
 		my $auth = $gcgi->wparam('auth');
 		if ($auth ne $user->{auth}) {
 			print '<p>Invalid authorization code, please re-enter or <a href="edituser.cgi">generate a new one</a>.</p>';
-			_auth_form($name, "'Login'", $fields);
+			_auth_form($name, "'Login'");
 			exit;
 		}
 
-- 
2.11.4.GIT