dépôts / lhc / web / wiklou.git / blob
? search:


f4863cf42885f91ab8fe66c84a51213d822c4f25
[lhc/web/wiklou.git] / includes / specials / SpecialPasswordReset.php
1 <?php
2 /**
3 * Implements Special:Blankpage
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
19 *
20 * @file
21 * @ingroup SpecialPage
22 */
23
24 /**
25 * Special page for requesting a password reset email
26 *
27 * @ingroup SpecialPage
28 */
29 class SpecialPasswordReset extends FormSpecialPage {
30
31 public function __construct() {
32 parent::__construct( 'PasswordReset' );
33 }
34
35 public function userCanExecute( User $user ) {
36 global $wgPasswordResetRoutes, $wgAuth;
37
38 // Maybe password resets are disabled, or there are no allowable routes
39 if ( !is_array( $wgPasswordResetRoutes )
40 || !in_array( true, array_values( $wgPasswordResetRoutes ) ) )
41 {
42 throw new ErrorPageError( 'internalerror', 'passwordreset-disabled' );
43 }
44
45 // Maybe the external auth plugin won't allow local password changes
46 if ( !$wgAuth->allowPasswordChange() ) {
47 throw new ErrorPageError( 'internalerror', 'resetpass_forbidden' );
48 }
49
50 // Maybe the user is blocked (check this here rather than relying on the parent
51 // method as we have a more specific error message to use here
52 if ( $user->isBlocked() ) {
53 throw new ErrorPageError( 'internalerror', 'blocked-mailpassword' );
54 }
55
56 return parent::userCanExecute( $user );
57 }
58
59 protected function getFormFields() {
60 global $wgPasswordResetRoutes;
61 $a = array();
62 if ( isset( $wgPasswordResetRoutes['username'] ) && $wgPasswordResetRoutes['username'] ) {
63 $a['Username'] = array(
64 'type' => 'text',
65 'label-message' => 'passwordreset-username',
66 );
67 }
68
69 if ( isset( $wgPasswordResetRoutes['email'] ) && $wgPasswordResetRoutes['email'] ) {
70 $a['Email'] = array(
71 'type' => 'email',
72 'label-message' => 'passwordreset-email',
73 );
74 }
75
76 return $a;
77 }
78
79 protected function preText() {
80 global $wgPasswordResetRoutes;
81 $i = 0;
82 if ( isset( $wgPasswordResetRoutes['username'] ) && $wgPasswordResetRoutes['username'] ) {
83 $i++;
84 }
85 if ( isset( $wgPasswordResetRoutes['email'] ) && $wgPasswordResetRoutes['email'] ) {
86 $i++;
87 }
88 return wfMessage( 'passwordreset-pretext', $i )->parseAsBlock();
89 }
90
91 /**
92 * Process the form. At this point we know that the user passes all the criteria in
93 * userCanExecute(), and if the data array contains 'Username', etc, then Username
94 * resets are allowed.
95 * @param $data array
96 * @return Bool|Array
97 */
98 public function onSubmit( array $data ) {
99
100 if ( isset( $data['Username'] ) && $data['Username'] !== '' ) {
101 $method = 'username';
102 $users = array( User::newFromName( $data['Username'] ) );
103 } elseif ( isset( $data['Email'] )
104 && $data['Email'] !== ''
105 && Sanitizer::validateEmail( $data['Email'] ) )
106 {
107 $method = 'email';
108 $res = wfGetDB( DB_SLAVE )->select(
109 'user',
110 '*',
111 array( 'user_email' => $data['Email'] ),
112 __METHOD__
113 );
114 if ( $res ) {
115 $users = array();
116 foreach( $res as $row ){
117 $users[] = User::newFromRow( $row );
118 }
119 } else {
120 // Some sort of database error, probably unreachable
121 throw new MWException( 'Unknown database error in ' . __METHOD__ );
122 }
123 } else {
124 // The user didn't supply any data
125 return false;
126 }
127
128 // Check for hooks (captcha etc), and allow them to modify the users list
129 $error = array();
130 if ( !wfRunHooks( 'SpecialPasswordResetOnSubmit', array( &$users, $data, &$error ) ) ) {
131 return array( $error );
132 }
133
134 if( count( $users ) == 0 ){
135 if( $method == 'email' ){
136 // Don't reveal whether or not an email address is in use
137 return true;
138 } else {
139 return array( 'noname' );
140 }
141 }
142
143 $firstUser = $users[0];
144
145 if ( !$firstUser instanceof User || !$firstUser->getID() ) {
146 return array( array( 'nosuchuser', $data['Username'] ) );
147 }
148
149 // Check against the rate limiter
150 if ( $this->getUser()->pingLimiter( 'mailpassword' ) ) {
151 throw new ThrottledError;
152 }
153
154 // Check against password throttle
155 foreach ( $users as $user ) {
156 if ( $user->isPasswordReminderThrottled() ) {
157 global $wgPasswordReminderResendTime;
158 # Round the time in hours to 3 d.p., in case someone is specifying
159 # minutes or seconds.
160 return array( array( 'throttled-mailpassword', round( $wgPasswordReminderResendTime, 3 ) ) );
161 }
162 }
163
164 global $wgServer, $wgScript, $wgNewPasswordExpiry;
165
166 // All the users will have the same email address
167 if ( $firstUser->getEmail() == '' ) {
168 // This won't be reachable from the email route, so safe to expose the username
169 return array( array( 'noemail', $firstUser->getName() ) );
170 }
171
172 // We need to have a valid IP address for the hook, but per bug 18347, we should
173 // send the user's name if they're logged in.
174 $ip = wfGetIP();
175 if ( !$ip ) {
176 return array( 'badipaddress' );
177 }
178 $caller = $this->getUser();
179 wfRunHooks( 'User::mailPasswordInternal', array( &$caller, &$ip, &$firstUser ) );
180 $username = $caller->getName();
181 $msg = IP::isValid( $username )
182 ? 'passwordreset-emailtext-ip'
183 : 'passwordreset-emailtext-user';
184
185 $passwords = array();
186 foreach ( $users as $user ) {
187 $password = $user->randomPassword();
188 $user->setNewpassword( $password );
189 $user->saveSettings();
190 $passwords[] = wfMessage( 'passwordreset-emailelement', $user->getName(), $password );
191 }
192 $passwordBlock = implode( "\n\n", $passwords );
193
194 // Send in the user's language; which should hopefully be the same
195 $userLanguage = $firstUser->getOption( 'language' );
196
197 $body = wfMessage( $msg )->inLanguage( $userLanguage );
198 $body->params(
199 $username,
200 $passwordBlock,
201 count( $passwords ),
202 $wgServer . $wgScript,
203 round( $wgNewPasswordExpiry / 86400 )
204 );
205
206 $title = wfMessage( 'passwordreset-emailtitle' );
207
208 $result = $firstUser->sendMail( $title->text(), $body->text() );
209
210 if ( $result->isGood() ) {
211 return true;
212 } else {
213 // @todo FIXME: The email didn't send, but we have already set the password throttle
214 // timestamp, so they won't be able to try again until it expires... :(
215 return array( array( 'mailerror', $result->getMessage() ) );
216 }
217 }
218
219 public function onSuccess() {
220 $this->getOutput()->addWikiMsg( 'passwordreset-emailsent' );
221 $this->getOutput()->returnToMain();
222 }
223 }
Wiklou, le Wiki du Wiklou