dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add logging to password resets per request on code review. Also a little javascript...
[lhc/web/wiklou.git] / includes / specials / SpecialResetpass.php
1 <?php
2 /**
3 * @file
4 * @ingroup SpecialPage
5 */
6
7 /**
8 * Let users recover their password.
9 * @ingroup SpecialPage
10 */
11 class SpecialResetpass extends SpecialPage {
12
13 private $mSelfChange = true; // Usually, but sometimes not :)
14
15 public function __construct() {
16 parent::__construct( 'Resetpass' );
17 }
18
19 /**
20 * Main execution point
21 */
22 function execute( $par ) {
23 global $wgUser, $wgAuth, $wgOut, $wgRequest;
24
25 $this->mUserName = $wgRequest->getVal( 'wpName', $par );
26 $this->mOldpass = $wgRequest->getVal( 'wpPassword' );
27 $this->mNewpass = $wgRequest->getVal( 'wpNewPassword' );
28 $this->mRetype = $wgRequest->getVal( 'wpRetype' );
29 $this->mComment = $wgRequest->getVal( 'wpComment' );
30
31 $this->setHeaders();
32 $this->outputHeader();
33
34 if( !$wgAuth->allowPasswordChange() ) {
35 $this->error( wfMsg( 'resetpass_forbidden' ) );
36 return;
37 }
38
39 // Default to our own username when not given one
40 if ( !$this->mUserName ) {
41 $this->mUserName = $wgUser->getName();
42 }
43
44 // Are we changing our own?
45 if ( $wgUser->getName() != $this->mUserName ) {
46 $this->mSelfChange = false; // We're changing someone else
47 }
48
49 if( !$wgRequest->wasPosted() && !$wgUser->isLoggedIn() ) {
50 $this->error( wfMsg( 'resetpass-no-info' ) );
51 return;
52 }
53
54 if ( !$this->mSelfChange && !$wgUser->isAllowed( 'reset-passwords' ) ) {
55 $this->error( wfMsg( 'resetpass-no-others' ) );
56 return;
57 }
58
59 if( $wgRequest->wasPosted() && $wgUser->matchEditToken( $wgRequest->getVal('token') ) ) {
60 try {
61 $this->attemptReset( $this->mNewpass, $this->mRetype );
62 $wgOut->addWikiMsg( 'resetpass_success' );
63 // Only attempt this login session if we're changing our own password
64 if( $this->mSelfChange && !$wgUser->isLoggedIn() ) {
65 $data = array(
66 'action' => 'submitlogin',
67 'wpName' => $this->mUserName,
68 'wpPassword' => $this->mNewpass,
69 'returnto' => $wgRequest->getVal( 'returnto' ),
70 );
71 if( $wgRequest->getCheck( 'wpRemember' ) ) {
72 $data['wpRemember'] = 1;
73 }
74 $login = new LoginForm( new FauxRequest( $data, true ) );
75 $login->execute();
76 }
77 $titleObj = Title::newFromText( $wgRequest->getVal( 'returnto' ) );
78 if ( !$titleObj instanceof Title ) {
79 $titleObj = Title::newMainPage();
80 }
81 $wgOut->redirect( $titleObj->getFullURL() );
82 } catch( PasswordError $e ) {
83 $this->error( $e->getMessage() );
84 }
85 }
86 $this->showForm();
87 }
88
89 function error( $msg ) {
90 global $wgOut;
91 $wgOut->addHTML( Xml::element('p', array( 'class' => 'error' ), $msg ) );
92 }
93
94 function showForm() {
95 global $wgOut, $wgUser, $wgRequest;
96
97 $wgOut->disallowUserJs();
98
99 if ( $wgUser->isAllowed( 'reset-passwords') ) {
100 $wgOut->addScriptFile( 'changepassword.js' );
101 }
102
103 $self = SpecialPage::getTitleFor( 'Resetpass' );
104
105 $rememberMe = '';
106 if ( !$wgUser->isLoggedIn() ) {
107 $rememberMe = '<tr>' .
108 '<td></td>' .
109 '<td class="mw-input">' .
110 Xml::checkLabel( wfMsg( 'remembermypassword' ),
111 'wpRemember', 'wpRemember',
112 $wgRequest->getCheck( 'wpRemember' ) ) .
113 '</td>' .
114 '</tr>';
115 $submitMsg = 'resetpass_submit';
116 $oldpassMsg = 'resetpass-temp-password';
117 } else {
118 $oldpassMsg = 'oldpassword';
119 $submitMsg = 'resetpass-submit-loggedin';
120 }
121 $s = Xml::fieldset( wfMsg( 'resetpass_header' ) ) .
122 Xml::openElement( 'form',
123 array(
124 'method' => 'post',
125 'action' => $self->getLocalUrl(),
126 'id' => 'mw-resetpass-form' ) ) .
127 Xml::hidden( 'token', $wgUser->editToken() ) .
128 Xml::hidden( 'returnto', $wgRequest->getVal( 'returnto' ) ) .
129 wfMsgExt( 'resetpass_text', array( 'parse' ) ) .
130 Xml::openElement( 'table', array( 'id' => 'mw-resetpass-table' ) );
131 $formElements = array(
132 array( 'wpName', 'username', 'text', $this->mUserName, $wgUser->isAllowed( 'reset-passwords' ) ),
133 array( 'wpPassword', $oldpassMsg, 'password', $this->mOldpass, $this->mSelfChange ),
134 array( 'wpNewPassword', 'newpassword', 'password', '', true ),
135 array( 'wpRetype', 'retypenew', 'password', '', true ) );
136 if ( $wgUser->isAllowed( 'reset-passwords' ) && $this->mSelfChange )
137 $formElements[] = array( 'wpComment', 'resetpass-comment', 'text', $this->mComment, true );
138 $s .= $this->pretty( $formElements ) .
139 $rememberMe .
140 '<tr>' .
141 '<td></td>' .
142 '<td class="mw-input">' .
143 Xml::submitButton( wfMsg( $submitMsg ) ) .
144 '</td>' .
145 '</tr>' .
146 Xml::closeElement( 'table' ) .
147 Xml::closeElement( 'form' ) .
148 Xml::closeElement( 'fieldset' );
149 $wgOut->addHtml( $s );
150 }
151
152 function pretty( $fields ) {
153 $out = '';
154 foreach( $fields as $list ) {
155 list( $name, $label, $type, $value, $enabled ) = $list;
156 $params = array( 'id' => $name, 'type' => $type );
157 if ( !$enabled )
158 $params['disabled'] = 'disabled';
159 $field = Xml::input( $name, 20, $value, $params );
160 $out .= '<tr>';
161 $out .= '<td class="mw-label">';
162 $out .= Xml::label( wfMsg( $label ), $name );
163 $out .= '</td>';
164 $out .= '<td class="mw-input">';
165 $out .= $field;
166 $out .= '</td>';
167 $out .= '</tr>';
168 }
169 return $out;
170 }
171
172 /**
173 * @throws PasswordError when cannot set the new password because requirements not met.
174 */
175 protected function attemptReset( $newpass, $retype ) {
176 $user = User::newFromName( $this->mUserName );
177 if( !$user || $user->isAnon() ) {
178 throw new PasswordError( 'no such user' );
179 }
180
181 if( $newpass !== $retype ) {
182 wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'badretype' ) );
183 throw new PasswordError( wfMsg( 'badretype' ) );
184 }
185
186 if ( $this->mSelfChange ) {
187 if( !$user->checkTemporaryPassword($this->mOldpass) && !$user->checkPassword($this->mOldpass) ) {
188 wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'wrongpassword' ) );
189 throw new PasswordError( wfMsg( 'resetpass-wrong-oldpass' ) );
190 }
191 }
192
193 try {
194 $user->setPassword( $this->mNewpass );
195 wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'success' ) );
196 $this->mNewpass = $this->mOldpass = $this->mRetypePass = '';
197 } catch( PasswordError $e ) {
198 wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'error' ) );
199 throw new PasswordError( $e->getMessage() );
200 return;
201 }
202
203 if ( !$this->mSelfChange ) {
204 $log = new LogPage( 'password' );
205 $log->addEntry( 'reset', $user->getUserPage(), $this->mComment );
206 }
207
208 $user->setCookies();
209 $user->saveSettings();
210 }
211 }
Wiklou, le Wiki du Wiklou