determines whether to set a cookie when a user is autoblocked. Doing so means
that a blocked user, even after logging out and moving to a new IP address,
will still be blocked.
+* The resetpassword right and associated password reset capture feature has
+ been removed.
=== New features in 1.29 ===
* (T5233) A cookie can now be set when a user is autoblocked, to track that user if
action=createaccount, action=linkaccount, and action=changeauthenticationdata
in the query string is now an error. They should be submitted in the POST
body instead.
+* The capture option for action=resetpassword has been removed
=== Action API internal changes in 1.29 ===
$passwordReset = new PasswordReset( $this->getConfig(), AuthManager::singleton() );
- $status = $passwordReset->isAllowed( $this->getUser(), $params['capture'] );
+ $status = $passwordReset->isAllowed( $this->getUser() );
if ( !$status->isOK() ) {
$this->dieStatus( Status::wrap( $status ) );
}
$status = $passwordReset->execute(
- $this->getUser(), $params['user'], $params['email'], $params['capture']
+ $this->getUser(), $params['user'], $params['email']
);
if ( !$status->isOK() ) {
$status->value = null;
$result = $this->getResult();
$result->addValue( [ 'resetpassword' ], 'status', 'success' );
- if ( $params['capture'] ) {
- $passwords = $status->getValue() ?: [];
- ApiResult::setArrayType( $passwords, 'kvp', 'user' );
- ApiResult::setIndexedTagName( $passwords, 'p' );
- $result->addValue( [ 'resetpassword' ], 'passwords', $passwords );
- }
}
public function isWriteMode() {
'email' => [
ApiBase::PARAM_TYPE => 'string',
],
- 'capture' => false,
];
$resetRoutes = $this->getConfig()->get( 'PasswordResetRoutes' );
"apihelp-resetpassword-description-noroutes": "No password reset routes are available.\n\nEnable routes in <var>[[mw:Manual:$wgPasswordResetRoutes|$wgPasswordResetRoutes]]</var> to use this module.",
"apihelp-resetpassword-param-user": "User being reset.",
"apihelp-resetpassword-param-email": "Email address of the user being reset.",
- "apihelp-resetpassword-param-capture": "Return the temporary passwords that were sent. Requires the <code>passwordreset</code> user right.",
"apihelp-resetpassword-example-user": "Send a password reset email to user <kbd>Example</kbd>.",
"apihelp-resetpassword-example-email": "Send a password reset email for all users with email address <kbd>user@example.com</kbd>.",
"apihelp-resetpassword-description-noroutes": "{{doc-apihelp-description|resetpassword|info=This message is used when no known routes are enabled in <var>[[mw:Manual:$wgPasswordResetRoutes|$wgPasswordResetRoutes]]</var>.|seealso={{msg-mw|apihelp-resetpassword-description}}}}",
"apihelp-resetpassword-param-user": "{{doc-apihelp-param|resetpassword|user}}",
"apihelp-resetpassword-param-email": "{{doc-apihelp-param|resetpassword|email}}",
- "apihelp-resetpassword-param-capture": "{{doc-apihelp-param|resetpassword|capture}}",
"apihelp-resetpassword-example-user": "{{doc-apihelp-example|resetpassword}}",
"apihelp-resetpassword-example-email": "{{doc-apihelp-example|resetpassword}}",
"apihelp-revisiondelete-description": "{{doc-apihelp-description|revisiondelete}}",
/** @var bool Email password to the user. */
public $mailpassword = false;
- /**
- * @var bool Do not fail certain operations if the password cannot be mailed, there is a
- * backchannel present.
- */
- public $hasBackchannel = false;
-
/** @var string Username or IP address of the caller */
public $caller;
$sv->merge( $this->checkPasswordValidity( $username, $req->password ) );
if ( $req->mailpassword ) {
- if ( !$this->emailEnabled && !$req->hasBackchannel ) {
+ if ( !$this->emailEnabled ) {
return \StatusValue::newFatal( 'passwordreset-emaildisabled' );
}
$ret = \StatusValue::newGood();
if ( $req ) {
- if ( $req->mailpassword && !$req->hasBackchannel ) {
+ if ( $req->mailpassword ) {
if ( !$this->emailEnabled ) {
$ret->merge( \StatusValue::newFatal( 'emaildisabled' ) );
} elseif ( !$user->getEmail() ) {
];
}
- if ( $this->getUser()->isAllowed( 'passwordreset' ) ) {
- $a['Capture'] = [
- 'type' => 'check',
- 'label-message' => 'passwordreset-capture',
- 'help-message' => 'passwordreset-capture-help',
- ];
- }
-
return $a;
}
* @return Status
*/
public function onSubmit( array $data ) {
- if ( isset( $data['Capture'] ) && !$this->getUser()->isAllowed( 'passwordreset' ) ) {
- // The user knows they don't have the passwordreset permission,
- // but they tried to spoof the form. That's naughty
- throw new PermissionsError( 'passwordreset' );
- }
-
$username = isset( $data['Username'] ) ? $data['Username'] : null;
$email = isset( $data['Email'] ) ? $data['Email'] : null;
- $capture = !empty( $data['Capture'] );
$this->method = $username ? 'username' : 'email';
$this->result = Status::wrap(
- $this->getPasswordReset()->execute( $this->getUser(), $username, $email, $capture ) );
- if ( $capture && $this->result->isOK() ) {
- $this->passwords = $this->result->getValue();
- }
+ $this->getPasswordReset()->execute( $this->getUser(), $username, $email ) );
if ( $this->result->hasMessage( 'actionthrottledtext' ) ) {
throw new ThrottledError;
}
public function onSuccess() {
- if ( $this->getUser()->isAllowed( 'passwordreset' ) && $this->passwords ) {
- if ( $this->result->isGood() ) {
- $this->getOutput()->addWikiMsg( 'passwordreset-emailsent-capture2',
- count( $this->passwords ) );
- } else {
- $this->getOutput()->addWikiMsg( 'passwordreset-emailerror-capture2',
- $this->result->getMessage(), key( $this->passwords ), count( $this->passwords ) );
- }
-
- $this->getOutput()->addHTML( Html::openElement( 'ul' ) );
- foreach ( $this->passwords as $username => $pwd ) {
- $this->getOutput()->addHTML( Html::rawElement( 'li', [],
- htmlspecialchars( $username, ENT_QUOTES )
- . $this->msg( 'colon-separator' )->text()
- . htmlspecialchars( $pwd, ENT_QUOTES )
- ) );
- }
- $this->getOutput()->addHTML( Html::closeElement( 'ul' ) );
- }
-
if ( $this->method === 'email' ) {
$this->getOutput()->addWikiMsg( 'passwordreset-emailsentemail' );
} else {
protected $logger;
/**
- * In-process cache for isAllowed lookups, by username. Contains pairs of StatusValue objects
- * (for false and true value of $displayPassword, respectively).
+ * In-process cache for isAllowed lookups, by username.
+ * Contains a StatusValue object
* @var HashBagOStuff
*/
private $permissionCache;
* @param User $user
* @param bool $displayPassword If set, also check whether the user is allowed to reset the
* password of another user and see the temporary password.
+ * @since 1.29 Second argument for displayPassword removed.
* @return StatusValue
*/
- public function isAllowed( User $user, $displayPassword = false ) {
- $statuses = $this->permissionCache->get( $user->getName() );
- if ( $statuses ) {
- list ( $status, $status2 ) = $statuses;
- } else {
+ public function isAllowed( User $user ) {
+ $status = $this->permissionCache->get( $user->getName() );
+ if ( !$status ) {
$resetRoutes = $this->config->get( 'PasswordResetRoutes' );
$status = StatusValue::newGood();
$status = StatusValue::newFatal( 'blocked-mailpassword' );
}
- $status2 = StatusValue::newGood();
- if ( !$user->isAllowed( 'passwordreset' ) ) {
- $status2 = StatusValue::newFatal( 'badaccess' );
- }
-
- $this->permissionCache->set( $user->getName(), [ $status, $status2 ] );
+ $this->permissionCache->set( $user->getName(), $status );
}
- if ( !$displayPassword || !$status->isGood() ) {
- return $status;
- } else {
- return $status2;
- }
+ return $status;
}
/**
* Process the form. At this point we know that the user passes all the criteria in
* userCanExecute(), and if the data array contains 'Username', etc, then Username
* resets are allowed.
+ *
+ * @since 1.29 Fourth argument for displayPassword removed.
* @param User $performingUser The user that does the password reset
* @param string $username The user whose password is reset
* @param string $email Alternative way to specify the user
- * @param bool $displayPassword Whether to display the password
* @return StatusValue Will contain the passwords as a username => password array if the
* $displayPassword flag was set
* @throws LogicException When the user is not allowed to perform the action
* @throws MWException On unexpected DB errors
*/
public function execute(
- User $performingUser, $username = null, $email = null, $displayPassword = false
+ User $performingUser, $username = null, $email = null
) {
- if ( !$this->isAllowed( $performingUser, $displayPassword )->isGood() ) {
- $action = $this->isAllowed( $performingUser )->isGood() ? 'display' : 'reset';
+ if ( !$this->isAllowed( $performingUser )->isGood() ) {
throw new LogicException( 'User ' . $performingUser->getName()
- . ' is not allowed to ' . $action . ' passwords' );
+ . ' is not allowed to reset passwords' );
}
$resetRoutes = $this->config->get( 'PasswordResetRoutes' )
$data = [
'Username' => $username,
'Email' => $email,
- 'Capture' => $displayPassword ? '1' : null,
];
if ( !Hooks::run( 'SpecialPasswordResetOnSubmit', [ &$users, $data, &$error ] ) ) {
return StatusValue::newFatal( Message::newFromSpecifier( $error ) );
$req = TemporaryPasswordAuthenticationRequest::newRandom();
$req->username = $user->getName();
$req->mailpassword = true;
- $req->hasBackchannel = $displayPassword;
$req->caller = $performingUser->getName();
$status = $this->authManager->allowsAuthenticationDataChange( $req, true );
if ( $status->isGood() && $status->getValue() !== 'ignored' ) {
'targetUsername' => $username,
'targetEmail' => $email,
'actualUser' => $firstUser->getName(),
- 'capture' => $displayPassword,
];
if ( !$result->isGood() ) {
$passwords = [];
foreach ( $reqs as $req ) {
$this->authManager->changeAuthenticationData( $req );
- // TODO record mail sending errors
- if ( $displayPassword ) {
- $passwords[$req->username] = $req->password;
- }
}
- if ( $displayPassword ) {
- // The password capture thing is scary, so log
- // at a higher warning level.
- $this->logger->warning(
- "{requestingUser} did password reset of {actualUser} with password capturing!",
- $logContext
- );
- } else {
- $this->logger->info(
- "{requestingUser} did password reset of {actualUser}",
- $logContext
- );
- }
+ $this->logger->info(
+ "{requestingUser} did password reset of {actualUser}",
+ $logContext
+ );
return StatusValue::newGood( $passwords );
}
'noratelimit',
'override-export-depth',
'pagelang',
- 'passwordreset',
'patrol',
'patrolmarks',
'protect',
"passwordreset-emaildisabled": "Email features have been disabled on this wiki.",
"passwordreset-username": "Username:",
"passwordreset-domain": "Domain:",
- "passwordreset-capture": "View the resulting email?",
- "passwordreset-capture-help": "If you check this box, the email (with the temporary password) will be shown to you as well as being sent to the user.",
"passwordreset-email": "Email address:",
"passwordreset-emailtitle": "Account details on {{SITENAME}}",
"passwordreset-emailtext-ip": "Someone (probably you, from IP address $1) requested a reset of your\npassword for {{SITENAME}} ($4). The following user {{PLURAL:$3|account is|accounts are}}\nassociated with this email address:\n\n$2\n\n{{PLURAL:$3|This temporary password|These temporary passwords}} will expire in {{PLURAL:$5|one day|$5 days}}.\nYou should log in and choose a new password now. If someone else made this\nrequest, or if you have remembered your original password, and you no longer\nwish to change it, you may ignore this message and continue using your old\npassword.",
"passwordreset-emailelement": "Username:\n$1\n\nTemporary password:\n$2",
"passwordreset-emailsentemail": "If this email address is associated with your account, then a password reset email will be sent.",
"passwordreset-emailsentusername": "If there is an email address associated with this username, then a password reset email will be sent.",
- "passwordreset-emailsent-capture2": "The password reset {{PLURAL:$1|email has|emails have}} been sent. The {{PLURAL:$1|username and password|list of usernames and passwords}} is shown here.",
- "passwordreset-emailerror-capture2": "Emailing the {{GENDER:$2|user}} failed: $1 The {{PLURAL:$3|username and password|list of usernames and passwords}} is shown here.",
"passwordreset-nocaller": "A caller must be provided",
"passwordreset-nosuchcaller": "Caller does not exist: $1",
"passwordreset-ignored": "The password reset was not handled. Maybe no provider was configured?",
"right-siteadmin": "Lock and unlock the database",
"right-override-export-depth": "Export pages including linked pages up to a depth of 5",
"right-sendemail": "Send email to other users",
- "right-passwordreset": "View password reset emails",
"right-managechangetags": "Create and (de)activate [[Special:Tags|tags]]",
"right-applychangetags": "Apply [[Special:Tags|tags]] along with one's changes",
"right-changetags": "Add and remove arbitrary [[Special:Tags|tags]] on individual revisions and log entries",
"passwordreset-emaildisabled": "Used as error message in changing password when site's email feature is disabled.",
"passwordreset-username": "{{Identical|Username}}",
"passwordreset-domain": "A domain like used in Domain Name System (DNS) or more specifically like a domain component in the Lightweight Directory Access Protocol (LDAP).\n{{Identical|Domain}}",
- "passwordreset-capture": "Label for checkbox asking the user whether they want to see the contents of the password reset email (only shown if they have the <code>passwordreset</code> permission).",
- "passwordreset-capture-help": "Longer explanatory message for the capture checkbox label.",
"passwordreset-email": "{{Identical|E-mail address}}",
"passwordreset-emailtitle": "Used as subject (title) of email.",
"passwordreset-emailtext-ip": "Be consistent with {{msg-mw|Passwordreset-emailtext-user}}.\n\nParameters:\n* $1 - an IP address\n* $2 - message {{msg-mw|Passwordreset-emailelement}} repeated $3 times\n* $3 - the number of repetitions in $2\n* $4 - base URL of the wiki\n* $5 - number of days",
"passwordreset-emailelement": "This is a body of a password reset email to allow them into the system with a new password. Parameters:\n* $1 - the user's login name. This parameter can be used for GENDER.\n* $2 - the temporary password given by the system",
"passwordreset-emailsentemail": "Used in [[Special:PasswordReset]].\n\nSee also:\n* {{msg-mw|Passwordreset-emailsent-capture}}\n* {{msg-mw|Passwordreset-emailerror-capture}}",
"passwordreset-emailsentusername": "Used in [[Special:PasswordReset]].\n\nSee also:\n* {{msg-mw|Passwordreset-emailsent-capture}}\n* {{msg-mw|Passwordreset-emailerror-capture}}",
- "passwordreset-emailsent-capture2": "Used in [[Special:PasswordReset]].\n\nParameters:\n* $1 - number of accounts notified\n\nSee also:\n* {{msg-mw|Passwordreset-emailsentemail}}\n* {{msg-mw|Passwordreset-emailsentusername}}\n* {{msg-mw|Passwordreset-emailerror-capture}}",
- "passwordreset-emailerror-capture2": "Error message displayed in [[Special:PasswordReset]] when sending an email fails. Parameters:\n* $1 - error message\n* $2 - username, used for GENDER\n* $3 - number of accounts notified\n\nSee also:\n* {{msg-mw|Passwordreset-emailsentemail}}\n* {{msg-mw|Passwordreset-emailsentusername}}\n* {{msg-mw|Passwordreset-emailsent-capture}}\n* {{msg-mw|Passwordreset-emailerror-capture}}",
"passwordreset-nocaller": "Shown when a password reset was requested but the process failed due to an internal error related to missing details about the origin (caller) of the password reset request.",
"passwordreset-nosuchcaller": "Shown when a password reset was requested but the username of the caller could not be resolved to a user. This is an internal error.\n\nParameters:\n* $1 - username of the caller",
"passwordreset-ignored": "Shown when password reset was unsuccessful due to configuration problems.",
"right-siteadmin": "{{doc-right|siteadmin}}",
"right-override-export-depth": "{{doc-right|override-export-depth}}",
"right-sendemail": "{{doc-right|sendemail}}",
- "right-passwordreset": "{{doc-right|passwordreset}}",
"right-managechangetags": "{{doc-right|managechangetags}}",
"right-applychangetags": "{{doc-right|applychangetags}}",
"right-changetags": "{{doc-right|changetags}}",
$provider = $this->getProvider( [ 'emailEnabled' => false ] );
$status = $provider->providerAllowsAuthenticationDataChange( $req, true );
$this->assertEquals( \StatusValue::newFatal( 'passwordreset-emaildisabled' ), $status );
- $req->hasBackchannel = true;
- $status = $provider->providerAllowsAuthenticationDataChange( $req, true );
- $this->assertFalse( $status->hasMessage( 'passwordreset-emaildisabled' ) );
- $req->hasBackchannel = false;
$provider = $this->getProvider( [ 'passwordReminderResendTime' => 10 ] );
$status = $provider->providerAllowsAuthenticationDataChange( $req, true );
$provider = $this->getProvider( [ 'emailEnabled' => false ] );
$status = $provider->testForAccountCreation( $user, $creator, [ $req ] );
$this->assertEquals( \StatusValue::newFatal( 'emaildisabled' ), $status );
- $req->hasBackchannel = true;
- $status = $provider->testForAccountCreation( $user, $creator, [ $req ] );
- $this->assertFalse( $status->hasMessage( 'emaildisabled' ) );
- $req->hasBackchannel = false;
$provider = $this->getProvider( [ 'emailEnabled' => true ] );
$status = $provider->testForAccountCreation( $user, $creator, [ $req ] );
$this->assertEquals( \StatusValue::newFatal( 'noemailcreate' ), $status );
- $req->hasBackchannel = true;
- $status = $provider->testForAccountCreation( $user, $creator, [ $req ] );
- $this->assertFalse( $status->hasMessage( 'noemailcreate' ) );
- $req->hasBackchannel = false;
$user->setEmail( 'test@localhost.localdomain' );
$status = $provider->testForAccountCreation( $user, $creator, [ $req ] );
*/
public function testIsAllowed( $passwordResetRoutes, $enableEmail,
$allowsAuthenticationDataChange, $canEditPrivate, $canSeePassword,
- $userIsBlocked, $isAllowed, $isAllowedToDisplayPassword
+ $userIsBlocked, $isAllowed
) {
$config = new HashConfig( [
'PasswordResetRoutes' => $passwordResetRoutes,
$passwordReset = new PasswordReset( $config, $authManager );
$this->assertSame( $isAllowed, $passwordReset->isAllowed( $user )->isGood() );
- $this->assertSame( $isAllowedToDisplayPassword,
- $passwordReset->isAllowed( $user, true )->isGood() );
}
public function provideIsAllowed() {
'canSeePassword' => true,
'userIsBlocked' => false,
'isAllowed' => false,
- 'isAllowedToDisplayPassword' => false,
],
[
'passwordResetRoutes' => [ 'username' => true ],
'canSeePassword' => true,
'userIsBlocked' => false,
'isAllowed' => false,
- 'isAllowedToDisplayPassword' => false,
],
[
'passwordResetRoutes' => [ 'username' => true ],
'canSeePassword' => true,
'userIsBlocked' => false,
'isAllowed' => false,
- 'isAllowedToDisplayPassword' => false,
],
[
'passwordResetRoutes' => [ 'username' => true ],
'canSeePassword' => true,
'userIsBlocked' => false,
'isAllowed' => false,
- 'isAllowedToDisplayPassword' => false,
],
[
'passwordResetRoutes' => [ 'username' => true ],
'canSeePassword' => true,
'userIsBlocked' => true,
'isAllowed' => false,
- 'isAllowedToDisplayPassword' => false,
],
[
'passwordResetRoutes' => [ 'username' => true ],
'canSeePassword' => false,
'userIsBlocked' => false,
'isAllowed' => true,
- 'isAllowedToDisplayPassword' => false,
],
[
'passwordResetRoutes' => [ 'username' => true ],
'canSeePassword' => true,
'userIsBlocked' => false,
'isAllowed' => true,
- 'isAllowedToDisplayPassword' => true,
],
];
}