From a99c11e4e3c13f3bf7e3fd5f63435730a1533729 Mon Sep 17 00:00:00 2001 From: Andrew Garrett Date: Wed, 25 Mar 2009 02:27:30 +0000 Subject: [PATCH] Revert r47569 and subsequent related revisions. These still break logging in with temporary passwords despite two attempts to fix the issue. --- RELEASE-NOTES | 3 - includes/DefaultSettings.php | 8 +- includes/User.php | 1 - includes/specials/SpecialResetpass.php | 118 ++++++++----------------- includes/specials/SpecialUserlogin.php | 3 +- languages/messages/MessagesEn.php | 1 - 6 files changed, 41 insertions(+), 93 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 5645ece7ad..16ddd4e829 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -117,11 +117,8 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * Special:ListUsers: Sort list of usergroups by alphabet * (bug 16762) Special:Movepage now shows a list of subpages when possible * (bug 17585) Hide legend on Special:Specialpages from non-privileged users -* (bug 15876) Users with 'reset-passwords' right can change the passwords of - other users. * Add an ID if 'missingsummary' is triggered to allow styling of the summary line -* Add logging to password resets if not resetting your own * Added $wgUseTagFilter to control enabling of filter-by-change-tag * (bug 17291) MediaWiki:Nocontribs now has an optional $1 parameter for the username diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index ff7acbed08..b4f5739fdd 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -1255,8 +1255,6 @@ $wgGroupPermissions['sysop']['movefile'] = true; // Permission to change users' group assignments $wgGroupPermissions['bureaucrat']['userrights'] = true; $wgGroupPermissions['bureaucrat']['noratelimit'] = true; -// Permission to change users' passwords -# $wgGroupPermissions['bureaucrat']['reset-passwords'] = true; // Permission to change users' groups assignments across wikis #$wgGroupPermissions['bureaucrat']['userrights-interwiki'] = true; // Permission to export pages including linked pages regardless of $wgExportMaxLinkDepth @@ -1471,7 +1469,7 @@ $wgCacheEpoch = '20030516000000'; * to ensure that client-side caches don't keep obsolete copies of global * styles. */ -$wgStyleVersion = '207'; +$wgStyleVersion = '206'; # Server-side caching: @@ -2873,7 +2871,6 @@ $wgLogTypes = array( '', 'patrol', 'merge', 'suppress', - 'password', ); /** @@ -2928,7 +2925,6 @@ $wgLogNames = array( 'patrol' => 'patrol-log-page', 'merge' => 'mergelog', 'suppress' => 'suppressionlog', - 'password' => 'resetpass-log' ); /** @@ -2949,7 +2945,6 @@ $wgLogHeaders = array( 'patrol' => 'patrol-log-header', 'merge' => 'mergelogpagetext', 'suppress' => 'suppressionlogtext', - 'password' => 'resetpass-logtext', ); /** @@ -2985,7 +2980,6 @@ $wgLogActions = array( 'suppress/delete' => 'suppressedarticle', 'suppress/block' => 'blocklogentry', 'suppress/reblock' => 'reblock-logentry', - 'password/reset' => 'resetpass-logentry' ); /** diff --git a/includes/User.php b/includes/User.php index c6e80fe2cd..4798294079 100644 --- a/includes/User.php +++ b/includes/User.php @@ -163,7 +163,6 @@ class User { 'proxyunbannable', 'purge', 'read', - 'reset-passwords', 'reupload', 'reupload-shared', 'rollback', diff --git a/includes/specials/SpecialResetpass.php b/includes/specials/SpecialResetpass.php index 1b96f27a0c..059f8dbd53 100644 --- a/includes/specials/SpecialResetpass.php +++ b/includes/specials/SpecialResetpass.php @@ -9,22 +9,9 @@ * @ingroup SpecialPage */ class SpecialResetpass extends SpecialPage { - - private $mSelfChange = true; // Usually, but sometimes not :) - private $mUser = null; // The user requesting the reset - public function __construct() { parent::__construct( 'Resetpass' ); } - - /** - * Sometimes the user requesting the password change is not $wgUser - * See bug 17722 - * @param User $usr - */ - public function setUser( $usr ) { - $this->mUser = $usr; - } /** * Main execution point @@ -32,15 +19,10 @@ class SpecialResetpass extends SpecialPage { function execute( $par ) { global $wgUser, $wgAuth, $wgOut, $wgRequest; - $this->mUserName = $wgRequest->getVal( 'wpName', $par ); + $this->mUserName = $wgRequest->getVal( 'wpName' ); $this->mOldpass = $wgRequest->getVal( 'wpPassword' ); $this->mNewpass = $wgRequest->getVal( 'wpNewPassword' ); $this->mRetype = $wgRequest->getVal( 'wpRetype' ); - $this->mComment = $wgRequest->getVal( 'wpComment' ); - - if ( is_null( $this->mUser ) ) { - $this->mUser = $wgUser; - } $this->setHeaders(); $this->outputHeader(); @@ -49,33 +31,17 @@ class SpecialResetpass extends SpecialPage { $this->error( wfMsg( 'resetpass_forbidden' ) ); return; } - - // Default to our own username when not given one - if ( !$this->mUserName ) { - $this->mUserName = $this->mUser->getName(); - } - - // Are we changing our own? - if ( $this->mUser->getName() != $this->mUserName ) { - $this->mSelfChange = false; // We're changing someone else - } - if( !$wgRequest->wasPosted() && !$this->mUser->isLoggedIn() ) { + if( !$wgRequest->wasPosted() && !$wgUser->isLoggedIn() ) { $this->error( wfMsg( 'resetpass-no-info' ) ); return; } - if ( !$this->mSelfChange && !$this->mUser->isAllowed( 'reset-passwords' ) ) { - $this->error( wfMsg( 'resetpass-no-others' ) ); - return; - } - - if( $wgRequest->wasPosted() && $this->mUser->matchEditToken( $wgRequest->getVal('token') ) ) { + if( $wgRequest->wasPosted() && $wgUser->matchEditToken( $wgRequest->getVal('token') ) ) { try { $this->attemptReset( $this->mNewpass, $this->mRetype ); $wgOut->addWikiMsg( 'resetpass_success' ); - // Only attempt this login session if we're changing our own password - if( $this->mSelfChange && !$wgUser->isLoggedIn() ) { + if( !$wgUser->isLoggedIn() ) { $data = array( 'action' => 'submitlogin', 'wpName' => $this->mUserName, @@ -109,15 +75,13 @@ class SpecialResetpass extends SpecialPage { global $wgOut, $wgUser, $wgRequest; $wgOut->disallowUserJs(); - - if ( $this->mUser->isAllowed( 'reset-passwords') ) { - $wgOut->addScriptFile( 'changepassword.js' ); - } $self = SpecialPage::getTitleFor( 'Resetpass' ); - + if ( !$this->mUserName ) { + $this->mUserName = $wgUser->getName(); + } $rememberMe = ''; - if ( !$this->mUser->isLoggedIn() ) { + if ( !$wgUser->isLoggedIn() ) { $rememberMe = '' . '' . '' . @@ -132,24 +96,24 @@ class SpecialResetpass extends SpecialPage { $oldpassMsg = 'oldpassword'; $submitMsg = 'resetpass-submit-loggedin'; } - $s = Xml::fieldset( wfMsg( 'resetpass_header' ) ) . + $wgOut->addHTML( + Xml::fieldset( wfMsg( 'resetpass_header' ) ) . Xml::openElement( 'form', array( 'method' => 'post', 'action' => $self->getLocalUrl(), 'id' => 'mw-resetpass-form' ) ) . - Xml::hidden( 'token', $this->mUser->editToken() ) . + Xml::hidden( 'token', $wgUser->editToken() ) . + Xml::hidden( 'wpName', $this->mUserName ) . Xml::hidden( 'returnto', $wgRequest->getVal( 'returnto' ) ) . wfMsgExt( 'resetpass_text', array( 'parse' ) ) . - Xml::openElement( 'table', array( 'id' => 'mw-resetpass-table' ) ); - $formElements = array( - array( 'wpName', 'username', 'text', $this->mUserName, $this->mUser->isAllowed( 'reset-passwords' ) ), - array( 'wpPassword', $oldpassMsg, 'password', $this->mOldpass, $this->mSelfChange ), - array( 'wpNewPassword', 'newpassword', 'password', '', true ), - array( 'wpRetype', 'retypenew', 'password', '', true ) ); - if ( $this->mUser->isAllowed( 'reset-passwords' ) && $this->mSelfChange ) - $formElements[] = array( 'wpComment', 'resetpass-comment', 'text', $this->mComment, true ); - $s .= $this->pretty( $formElements ) . + Xml::openElement( 'table', array( 'id' => 'mw-resetpass-table' ) ) . + $this->pretty( array( + array( 'wpName', 'username', 'text', $this->mUserName ), + array( 'wpPassword', $oldpassMsg, 'password', $this->mOldpass ), + array( 'wpNewPassword', 'newpassword', 'password', '' ), + array( 'wpRetype', 'retypenew', 'password', '' ), + ) ) . $rememberMe . '' . '' . @@ -159,23 +123,28 @@ class SpecialResetpass extends SpecialPage { '' . Xml::closeElement( 'table' ) . Xml::closeElement( 'form' ) . - Xml::closeElement( 'fieldset' ); - $wgOut->addHtml( $s ); + Xml::closeElement( 'fieldset' ) + ); } function pretty( $fields ) { $out = ''; foreach( $fields as $list ) { - list( $name, $label, $type, $value, $enabled ) = $list; - $params = array( 'id' => $name, 'type' => $type ); - if ( !$enabled ) - $params['disabled'] = 'disabled'; - $field = Xml::input( $name, 20, $value, $params ); + list( $name, $label, $type, $value ) = $list; + if( $type == 'text' ) { + $field = htmlspecialchars( $value ); + } else { + $field = Xml::input( $name, 20, $value, + array( 'id' => $name, 'type' => $type ) ); + } $out .= ''; - $out .= ''; - $out .= Xml::label( wfMsg( $label ), $name ); + $out .= ""; + if ( $type != 'text' ) + $out .= Xml::label( wfMsg( $label ), $name ); + else + $out .= wfMsg( $label ); $out .= ''; - $out .= ''; + $out .= ""; $out .= $field; $out .= ''; $out .= ''; @@ -197,13 +166,11 @@ class SpecialResetpass extends SpecialPage { throw new PasswordError( wfMsg( 'badretype' ) ); } - if ( $this->mSelfChange ) { - if( !$user->checkTemporaryPassword($this->mOldpass) && !$user->checkPassword($this->mOldpass) ) { - wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'wrongpassword' ) ); - throw new PasswordError( wfMsg( 'resetpass-wrong-oldpass' ) ); - } + if( !$user->checkTemporaryPassword($this->mOldpass) && !$user->checkPassword($this->mOldpass) ) { + wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'wrongpassword' ) ); + throw new PasswordError( wfMsg( 'resetpass-wrong-oldpass' ) ); } - + try { $user->setPassword( $this->mNewpass ); wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'success' ) ); @@ -214,14 +181,7 @@ class SpecialResetpass extends SpecialPage { return; } - if ( !$this->mSelfChange ) { - $log = new LogPage( 'password' ); - $log->addEntry( 'reset', $user->getUserPage(), $this->mComment ); - } else { - // Only set cookies if it was a self-change - $user->setCookies(); - } - + $user->setCookies(); $user->saveSettings(); } } diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php index cb35ba6ec7..b065bdd6a4 100644 --- a/includes/specials/SpecialUserlogin.php +++ b/includes/specials/SpecialUserlogin.php @@ -589,8 +589,7 @@ class LoginForm { global $wgOut; $wgOut->addHTML( Xml::element('p', array( 'class' => 'error' ), $error ) ); $reset = new SpecialResetpass(); - $reset->setUser( User::newFromName( $this->mName ) ); - $reset->execute( $this->mName ); + $reset->execute( null ); } /** diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index 124a30ca9d..563ea47197 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -1018,7 +1018,6 @@ You may have already successfully changed your password or requested a new tempo 'resetpass-wrong-oldpass' => 'Invalid temporary or current password. You may have already successfully changed your password or requested a new temporary password.', 'resetpass-temp-password' => 'Temporary password:', -'resetpass-no-others' => 'You cannot reset the password for other users.', 'resetpass-log' => 'Password resets log', 'resetpass-logtext' => 'Below is a log of users who have had their password reset by an administrator.', 'resetpass-logentry' => 'changed the password for $1', -- 2.20.1