From d850025e603fc6f2bec3a80cdd17c027d8813341 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Gerg=C5=91=20Tisza?= Date: Tue, 7 Jun 2016 16:15:12 +0000 Subject: [PATCH] Reject authentication data change when there are warnings AuthManager uses a status which is OK but not good for authentication data which is discouraged but still accepted for authentication. Users should not be allowed to change credentials into such invalid state. This change brings the web logic and the AuthPlugin fallback in sync with the API which already used the stricter check. Change-Id: I4ff54fcc901f6fe11f15ed60fc1a3d8753de9f6c --- includes/Preferences.php | 2 +- includes/auth/AuthManagerAuthPlugin.php | 2 +- includes/specialpage/AuthManagerSpecialPage.php | 2 +- includes/user/User.php | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/includes/Preferences.php b/includes/Preferences.php index 9a55ae3487..3083a8d215 100644 --- a/includes/Preferences.php +++ b/includes/Preferences.php @@ -296,7 +296,7 @@ class Preferences { $allowPasswordChange = $wgDisableAuthManager ? $wgAuth->allowPasswordChange() : AuthManager::singleton()->allowsAuthenticationDataChange( - new PasswordAuthenticationRequest(), false ); + new PasswordAuthenticationRequest(), false )->isGood(); if ( $canEditPrivateInfo && $allowPasswordChange ) { $link = Linker::link( SpecialPage::getTitleFor( 'ChangePassword' ), $context->msg( 'prefs-resetpass' )->escaped(), [], diff --git a/includes/auth/AuthManagerAuthPlugin.php b/includes/auth/AuthManagerAuthPlugin.php index bf1e0215bc..8d85b4411d 100644 --- a/includes/auth/AuthManagerAuthPlugin.php +++ b/includes/auth/AuthManagerAuthPlugin.php @@ -131,7 +131,7 @@ class AuthManagerAuthPlugin extends \AuthPlugin { $reqs = AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data ); foreach ( $reqs as $req ) { $status = AuthManager::singleton()->allowsAuthenticationDataChange( $req ); - if ( !$status->isOk() ) { + if ( !$status->isGood() ) { $this->logger->info( __METHOD__ . ': Password change rejected: {reason}', [ 'username' => $data['username'], 'reason' => $status->getWikiText( null, null, 'en' ), diff --git a/includes/specialpage/AuthManagerSpecialPage.php b/includes/specialpage/AuthManagerSpecialPage.php index 7866c12bae..41380f0b84 100644 --- a/includes/specialpage/AuthManagerSpecialPage.php +++ b/includes/specialpage/AuthManagerSpecialPage.php @@ -375,7 +375,7 @@ abstract class AuthManagerSpecialPage extends SpecialPage { $req = reset( $requests ); $status = $authManager->allowsAuthenticationDataChange( $req ); Hooks::run( 'ChangeAuthenticationDataAudit', [ $req, $status ] ); - if ( !$status->isOK() ) { + if ( !$status->isGood() ) { return AuthenticationResponse::newFail( $status->getMessage() ); } $authManager->changeAuthenticationData( $req ); diff --git a/includes/user/User.php b/includes/user/User.php index 9e50f36a23..8ecf468647 100644 --- a/includes/user/User.php +++ b/includes/user/User.php @@ -2569,7 +2569,7 @@ class User implements IDBAccessObject { $reqs = AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data ); foreach ( $reqs as $req ) { $status = $manager->allowsAuthenticationDataChange( $req ); - if ( !$status->isOk() ) { + if ( !$status->isGood() ) { \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' ) ->info( __METHOD__ . ': Password change rejected: ' . $status->getWikiText() ); return false; -- 2.20.1