From 6dbe9b23972d671c933746406de39ad95544142c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Gerg=C5=91=20Tisza?= <gtisza@wikimedia.org>
Date: Tue, 15 Nov 2016 04:04:24 +0000
Subject: [PATCH] Prevent login-only local password provider from removing
 passwords

When the local password provider is in login-only mode, it should
disable itself as soon as some other primary provider is enabled.
It's impossible to tell whether that is the case though, so err in
the safer direction.

Change-Id: Ie77a9cc6d8f06aa52a893e753d9971e30b0f55e5
---
 ...ocalPasswordPrimaryAuthenticationProvider.php | 16 ++++++++--------
 ...PasswordPrimaryAuthenticationProviderTest.php |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
index 88df68d310..1013990a03 100644
--- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
+++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
@@ -242,14 +242,14 @@ class LocalPasswordPrimaryAuthenticationProvider
 
 		$pwhash = null;
 
-		if ( $this->loginOnly ) {
-			$pwhash = $this->getPasswordFactory()->newFromCiphertext( null );
-			$expiry = null;
-			// @codeCoverageIgnoreStart
-		} elseif ( get_class( $req ) === PasswordAuthenticationRequest::class ) {
-			// @codeCoverageIgnoreEnd
-			$pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
-			$expiry = $this->getNewPasswordExpiry( $username );
+		if ( get_class( $req ) === PasswordAuthenticationRequest::class ) {
+			if ( $this->loginOnly ) {
+				$pwhash = $this->getPasswordFactory()->newFromCiphertext( null );
+				$expiry = null;
+			} else {
+				$pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
+				$expiry = $this->getNewPasswordExpiry( $username );
+			}
 		}
 
 		if ( $pwhash ) {
diff --git a/tests/phpunit/includes/auth/LocalPasswordPrimaryAuthenticationProviderTest.php b/tests/phpunit/includes/auth/LocalPasswordPrimaryAuthenticationProviderTest.php
index 088dd00fe8..cab10b4279 100644
--- a/tests/phpunit/includes/auth/LocalPasswordPrimaryAuthenticationProviderTest.php
+++ b/tests/phpunit/includes/auth/LocalPasswordPrimaryAuthenticationProviderTest.php
@@ -450,7 +450,7 @@ class LocalPasswordPrimaryAuthenticationProviderTest extends \MediaWikiTestCase
 		$changeReq->password = $newpass;
 		$provider->providerChangeAuthenticationData( $changeReq );
 
-		if ( $loginOnly ) {
+		if ( $loginOnly && $changed ) {
 			$old = 'fail';
 			$new = 'fail';
 			$expectExpiry = null;
-- 
2.20.1