From f13fc04cbfb453b665f7ece16db109bab1167b7b Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Mon, 7 May 2007 21:54:06 +0000 Subject: [PATCH] * Add hooks for captcha in main user login form * Add hook point for detecting and logging login attempts with invalid password * Add captcha support for triggering a captcha after a bad password attempt. Legit users shouldn't be inconvenienced much, but password-guesser bots will be severely speedbumped. --- docs/hooks.txt | 12 ++++++++++++ includes/SpecialUserlogin.php | 8 ++++++++ includes/templates/Userlogin.php | 1 + skins/monobook/main.css | 3 ++- 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/docs/hooks.txt b/docs/hooks.txt index a043bd1855..6f66b06279 100644 --- a/docs/hooks.txt +++ b/docs/hooks.txt @@ -237,6 +237,13 @@ protocol came about after MediaWiki 1.4rc1. This is a list of known events and parameters; please add to it if you're going to add events to the MediaWiki code. +'AbortLogin': Return false to cancel account login. +$user: the User object being authenticated against +$password: the password being submitted, not yet checked for validity +&$retval: a LoginForm class constant to return from authenticateUserData(); + default is LoginForm::ABORTED. Note that the client may be using + a machine API rather than the HTML user interface. + 'AbortNewAccount': Return false to cancel account creation. $user: the User object about to be created (read-only, incomplete) $message: out parameter: error message to display on abort @@ -402,6 +409,11 @@ after noinclude/includeonly/onlyinclude and other processing. &$text: string containing partially parsed text &$this->mStripState: Parser's internal StripState object +'LoginBadPass': a login attempt has failed with an invalid password. + No return data is accepted; this hook is for auditing only. +$user: the User object being authenticated against +$password: the password being submitted and found wanting + 'LogPageValidTypes': action being logged. DEPRECATED: Use $wgLogTypes &$type: array of strings diff --git a/includes/SpecialUserlogin.php b/includes/SpecialUserlogin.php index 2de164b7dc..26196b891e 100644 --- a/includes/SpecialUserlogin.php +++ b/includes/SpecialUserlogin.php @@ -32,6 +32,7 @@ class LoginForm { const WRONG_PASS = 5; const EMPTY_PASS = 6; const RESET_PASS = 7; + const ABORTED = 8; var $mName, $mPassword, $mRetype, $mReturnTo, $mCookieCheck, $mPosted; var $mAction, $mCreateaccount, $mCreateaccountMail, $mMailmypassword; @@ -364,6 +365,12 @@ class LoginForm { $u->load(); } + // Give general extensions, such as a captcha, a chance to abort logins + $abort = self::ABORTED; + if( !wfRunHooks( 'AbortLogin', array( $u, $this->mPassword, &$abort ) ) ) { + return $abort; + } + if (!$u->checkPassword( $this->mPassword )) { if( $u->checkTemporaryPassword( $this->mPassword ) ) { // The e-mailed temporary password should not be used @@ -395,6 +402,7 @@ class LoginForm { // return self::RESET_PASS; } else { + wfRunHooks( 'LoginBadPass', array( $u, $this->mPassword ) ); return '' == $this->mPassword ? self::EMPTY_PASS : self::WRONG_PASS; } } else { diff --git a/includes/templates/Userlogin.php b/includes/templates/Userlogin.php index ccddfa662d..3230291e56 100644 --- a/includes/templates/Userlogin.php +++ b/includes/templates/Userlogin.php @@ -28,6 +28,7 @@ class UserloginTemplate extends QuickTemplate {

msg('login') ?>

+ html('header'); /* pre-table point for form plugins... */ ?>
msgWiki('loginprompt') ?>
haveData( 'languages' ) ) { ?> diff --git a/skins/monobook/main.css b/skins/monobook/main.css index 1fa96e323f..b08e4ab306 100644 --- a/skins/monobook/main.css +++ b/skins/monobook/main.css @@ -1180,7 +1180,8 @@ div#userlogin form#userlogin2 h2 { padding-top: 0; } -div#userlogin .captcha { +div#userlogin .captcha, +div#userloginForm .captcha { border: 1px solid #bbb; padding: 1.5em 2em; width: 400px; -- 2.20.1