From 374a0ad94367fc8985a18f780d4bc44fee9a897a Mon Sep 17 00:00:00 2001 From: Tyler Anthony Romeo Date: Fri, 1 Feb 2013 12:25:53 -0500 Subject: [PATCH] Change secure login to use a user preference Removed the wpStickHTTPS checkbox from the login form, and instead just use the user's preferences along with whether they came from HTTPS or not to determine if they should stay in HTTPS. Bug: 29898 Bug: 52283 Change-Id: I69e9cb23b8d700e821b8a961c672958e4e19e4f8 --- RELEASE-NOTES-1.22 | 3 +++ includes/DefaultSettings.php | 1 + includes/Preferences.php | 12 +++++++++++- includes/User.php | 17 ++++++++++++++++- includes/Wiki.php | 13 ++++++++++--- includes/specials/SpecialUserlogin.php | 8 ++++++-- includes/templates/Userlogin.php | 13 +------------ languages/messages/MessagesEn.php | 2 +- languages/messages/MessagesQqq.php | 2 +- maintenance/language/messages.inc | 2 +- 10 files changed, 51 insertions(+), 22 deletions(-) diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index b1e88a4b74..51eeb85092 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -46,6 +46,9 @@ production. * New key added to $wgGalleryOptions - $wgGalleryOptions['mode'] to set default gallery mode. * New hook 'GalleryGetModes' to allow extensions to make new gallery modes. +* The checkbox for staying in HTTPS displayed on the login form when $wgSecureLogin is + enabled has been removed. Instead, whether the user stays in HTTPS will be determined + based on the user's preferences, and whether they came from HTTPS or not. === New features in 1.22 === * (bug 44525) mediawiki.jqueryMsg can now parse (whitelisted) HTML elements and attributes. diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 87c1b6b6a6..8f8f5081e7 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3965,6 +3965,7 @@ $wgDefaultUserOptions = array( 'watchmoves' => 0, 'wllimit' => 250, 'useeditwarning' => 1, + 'prefershttps' => 1, ); /** diff --git a/includes/Preferences.php b/includes/Preferences.php index 2bb1e640bd..9791d8bdd3 100644 --- a/includes/Preferences.php +++ b/includes/Preferences.php @@ -188,7 +188,8 @@ class Preferences { global $wgAuth, $wgContLang, $wgParser, $wgCookieExpiration, $wgLanguageCode, $wgDisableTitleConversion, $wgDisableLangConversion, $wgMaxSigChars, $wgEnableEmail, $wgEmailConfirmToEdit, $wgEnableUserEmail, $wgEmailAuthentication, - $wgEnotifWatchlist, $wgEnotifUserTalk, $wgEnotifRevealEditorAddress; + $wgEnotifWatchlist, $wgEnotifUserTalk, $wgEnotifRevealEditorAddress, + $wgSecureLogin; // retrieving user name for GENDER and misc. $userName = $user->getName(); @@ -313,6 +314,15 @@ class Preferences { 'section' => 'personal/info', ); } + // Only show preferhttps if secure login is turned on + if ( $wgSecureLogin ) { + $defaultPreferences['prefershttps'] = array( + 'type' => 'toggle', + 'label-message' => 'tog-prefershttps', + 'default' => true, + 'section' => 'personal/info' + ); + } // Language $languages = Language::fetchLanguageNames( null, 'mw' ); diff --git a/includes/User.php b/includes/User.php index 72f66f06d4..dcfc5115da 100644 --- a/includes/User.php +++ b/includes/User.php @@ -2599,6 +2599,21 @@ class User { return $this->mDatePreference; } + /** + * Determine based on the wiki configuration and the user's options, + * whether this user must be over HTTPS no matter what. + * + * @return bool + */ + public function requiresHTTPS() { + global $wgSecureLogin; + if ( !$wgSecureLogin ) { + return false; + } else { + return $this->getBoolOption( 'prefershttps' ); + } + } + /** * Get the user preferred stub threshold * @@ -3186,7 +3201,7 @@ class User { * will cause the site to redirect the user to HTTPS, if they access * it over HTTP. Bug 29898. */ - if ( $request->getCheck( 'wpStickHTTPS' ) ) { + if ( $request->getCheck( 'wpStickHTTPS' ) || $this->requiresHTTPS() ) { $this->setCookie( 'forceHTTPS', 'true', time() + 2592000, false ); //30 days } } diff --git a/includes/Wiki.php b/includes/Wiki.php index cb0f60ac52..6e72b9dcf7 100644 --- a/includes/Wiki.php +++ b/includes/Wiki.php @@ -502,9 +502,16 @@ class MediaWiki { $request = $this->context->getRequest(); - if ( $request->getCookie( 'forceHTTPS' ) - && $request->detectProtocol() == 'http' - && $request->getMethod() == 'GET' + // If the user has forceHTTPS set to true, or if the user + // is in a group requiring HTTPS, or if they have the HTTPS + // preference set, redirect them to HTTPS. + if ( + ( + $request->getCookie( 'forceHTTPS' ) || + // Avoid checking the user and groups unless it's enabled. + $this->context->getUser()->requiresHTTPS() + ) && + $request->detectProtocol() == 'http' ) { $redirUrl = $request->getFullRequestURL(); $redirUrl = str_replace( 'http://', 'https://', $redirUrl ); diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php index cfd617e159..2081dd97ea 100644 --- a/includes/specials/SpecialUserlogin.php +++ b/includes/specials/SpecialUserlogin.php @@ -105,7 +105,7 @@ class LoginForm extends SpecialPage { $this->mLoginattempt = $request->getCheck( 'wpLoginattempt' ); $this->mAction = $request->getVal( 'action' ); $this->mRemember = $request->getCheck( 'wpRemember' ); - $this->mStickHTTPS = $request->getCheck( 'wpStickHTTPS' ); + $this->mStickHTTPS = $request->getBool( 'wpStickHTTPS' ); $this->mLanguage = $request->getText( 'uselang' ); $this->mSkipCookieCheck = $request->getCheck( 'wpSkipCookieCheck' ); $this->mToken = ( $this->mType == 'signup' ) ? $request->getVal( 'wpCreateaccountToken' ) : $request->getVal( 'wpLoginToken' ); @@ -747,6 +747,10 @@ class LoginForm extends SpecialPage { $user->invalidateCache(); } + if ( $user->requiresHTTPS() ) { + $this->mStickHTTPS = true; + } + if ( $wgSecureLogin && !$this->mStickHTTPS ) { $user->setCookies( null, false ); } else { @@ -1154,7 +1158,7 @@ class LoginForm extends SpecialPage { $template->set( 'usereason', $user->isLoggedIn() ); $template->set( 'remember', $user->getOption( 'rememberpassword' ) || $this->mRemember ); $template->set( 'cansecurelogin', ( $wgSecureLogin === true ) ); - $template->set( 'stickHTTPS', $this->mStickHTTPS ); + $template->set( 'stickHTTPS', (int)$this->mStickHTTPS ); if ( $this->mType === 'signup' && $user->isLoggedIn() ) { $template->set( 'createAnother', true ); diff --git a/includes/templates/Userlogin.php b/includes/templates/Userlogin.php index b9825a6b39..f41f4035d2 100644 --- a/includes/templates/Userlogin.php +++ b/includes/templates/Userlogin.php @@ -151,18 +151,6 @@ class UserloginTemplate extends BaseTemplate { - data['cansecurelogin'] ) { ?> -
- -
-
getMsg( 'login' )->text(), 'submit', array( @@ -182,6 +170,7 @@ class UserloginTemplate extends BaseTemplate { haveData( 'uselang' ) ) { ?> haveData( 'token' ) ) { ?> +data['cansecurelogin'] ) {?>
diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index 7bb3bd20a0..a9c13601a0 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -694,6 +694,7 @@ future releases. Also note that since each list value is wrapped in a unique 'tog-noconvertlink' => 'Disable link title conversion', # only translate this message to other languages if you have to change it 'tog-norollbackdiff' => 'Omit diff after performing a rollback', 'tog-useeditwarning' => 'Warn me when I leave an edit page with unsaved changes', +'tog-prefershttps' => 'Always use a secure connection when logged in', 'underline-always' => 'Always', 'underline-never' => 'Never', @@ -1116,7 +1117,6 @@ Do not forget to change your [[Special:Preferences|{{SITENAME}} preferences]].', 'remembermypassword' => 'Remember my login on this browser (for a maximum of $1 {{PLURAL:$1|day|days}})', 'userlogin-remembermypassword' => 'Keep me logged in', 'userlogin-signwithsecure' => 'Use secure connection', -'securelogin-stick-https' => 'Stay connected to HTTPS after login', 'yourdomainname' => 'Your domain:', 'password-change-forbidden' => 'You cannot change passwords on this wiki.', 'externaldberror' => 'There was either an authentication database error or you are not allowed to update your external account.', diff --git a/languages/messages/MessagesQqq.php b/languages/messages/MessagesQqq.php index e7e989799d..d208c15d45 100644 --- a/languages/messages/MessagesQqq.php +++ b/languages/messages/MessagesQqq.php @@ -202,6 +202,7 @@ Is only shown if {{msg-mw|tog-enotifusertalkpages}} or/and {{msg-mw|tog-enotifwa 'tog-ccmeonemails' => 'Option in [[Special:Preferences]] > {{int:prefs-personal}} > {{int:email}}. {{Gender}}', 'tog-diffonly' => 'Toggle option used in [[Special:Preferences]]. {{Gender}}', 'tog-showhiddencats' => 'Toggle option used in [[Special:Preferences]]. {{Gender}}', +'tog-prefershttps' => 'Toggle option used in [[Special:Preferences]] that indicates if the user wants to use a secure connection when logged in', 'tog-noconvertlink' => "{{optional}} ''(the message is considered optional because it is only used in wikis with language variants)''", @@ -1222,7 +1223,6 @@ See example: [{{canonicalurl:Special:UserLogin|type=signup}} Special:UserLogin?t 'userlogin-signwithsecure' => 'Text of link to HTTPS login form. See example: [[Special:UserLogin]]', -'securelogin-stick-https' => 'Used as label for checkbox.', 'yourdomainname' => 'Used as label for listbox.', 'password-change-forbidden' => 'Error message shown when an external authentication source does not allow the password to be changed.', 'externaldberror' => 'This message is thrown when a valid attempt to change the wiki password for a user fails because of a database error or an error from an external system.', diff --git a/maintenance/language/messages.inc b/maintenance/language/messages.inc index aa8d7cc8e3..68b2d17bc4 100644 --- a/maintenance/language/messages.inc +++ b/maintenance/language/messages.inc @@ -70,6 +70,7 @@ $wgMessageStructure = array( 'tog-noconvertlink', 'tog-norollbackdiff', 'tog-useeditwarning', + 'tog-prefershttps' ), 'underline' => array( 'underline-always', @@ -459,7 +460,6 @@ $wgMessageStructure = array( 'remembermypassword', 'userlogin-remembermypassword', 'userlogin-signwithsecure', - 'securelogin-stick-https', 'yourdomainname', 'password-change-forbidden', 'externaldberror', -- 2.20.1