3 * Implements Special:Blankpage
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
21 * @ingroup SpecialPage
25 * Special page for requesting a password reset email
27 * @ingroup SpecialPage
29 class SpecialPasswordReset
extends FormSpecialPage
{
31 public function __construct() {
32 parent
::__construct( 'PasswordReset' );
35 public function userCanExecute( User
$user ) {
36 $error = $this->canChangePassword( $user );
37 if ( is_string( $error ) ) {
38 throw new ErrorPageError( 'internalerror', $error );
39 } else if ( !$error ) {
40 throw new ErrorPageError( 'internalerror', 'resetpass_forbidden' );
43 return parent
::userCanExecute( $user );
46 protected function getFormFields() {
47 global $wgPasswordResetRoutes;
49 if ( isset( $wgPasswordResetRoutes['username'] ) && $wgPasswordResetRoutes['username'] ) {
50 $a['Username'] = array(
52 'label-message' => 'passwordreset-username',
56 if ( isset( $wgPasswordResetRoutes['email'] ) && $wgPasswordResetRoutes['email'] ) {
59 'label-message' => 'passwordreset-email',
66 public function alterForm( HTMLForm
$form ) {
67 $form->setSubmitText( wfMessage( "mailmypassword" ) );
70 protected function preText() {
71 global $wgPasswordResetRoutes;
73 if ( isset( $wgPasswordResetRoutes['username'] ) && $wgPasswordResetRoutes['username'] ) {
76 if ( isset( $wgPasswordResetRoutes['email'] ) && $wgPasswordResetRoutes['email'] ) {
79 return wfMessage( 'passwordreset-pretext', $i )->parseAsBlock();
83 * Process the form. At this point we know that the user passes all the criteria in
84 * userCanExecute(), and if the data array contains 'Username', etc, then Username
89 public function onSubmit( array $data ) {
91 if ( isset( $data['Username'] ) && $data['Username'] !== '' ) {
93 $users = array( User
::newFromName( $data['Username'] ) );
94 } elseif ( isset( $data['Email'] )
95 && $data['Email'] !== ''
96 && Sanitizer
::validateEmail( $data['Email'] ) )
99 $res = wfGetDB( DB_SLAVE
)->select(
102 array( 'user_email' => $data['Email'] ),
107 foreach( $res as $row ){
108 $users[] = User
::newFromRow( $row );
111 // Some sort of database error, probably unreachable
112 throw new MWException( 'Unknown database error in ' . __METHOD__
);
115 // The user didn't supply any data
119 // Check for hooks (captcha etc), and allow them to modify the users list
121 if ( !wfRunHooks( 'SpecialPasswordResetOnSubmit', array( &$users, $data, &$error ) ) ) {
122 return array( $error );
125 if( count( $users ) == 0 ){
126 if( $method == 'email' ){
127 // Don't reveal whether or not an email address is in use
130 return array( 'noname' );
134 $firstUser = $users[0];
136 if ( !$firstUser instanceof User ||
!$firstUser->getID() ) {
137 return array( array( 'nosuchuser', $data['Username'] ) );
140 // Check against the rate limiter
141 if ( $this->getUser()->pingLimiter( 'mailpassword' ) ) {
142 throw new ThrottledError
;
145 // Check against password throttle
146 foreach ( $users as $user ) {
147 if ( $user->isPasswordReminderThrottled() ) {
148 global $wgPasswordReminderResendTime;
149 # Round the time in hours to 3 d.p., in case someone is specifying
150 # minutes or seconds.
151 return array( array( 'throttled-mailpassword', round( $wgPasswordReminderResendTime, 3 ) ) );
155 global $wgServer, $wgScript, $wgNewPasswordExpiry;
157 // All the users will have the same email address
158 if ( $firstUser->getEmail() == '' ) {
159 // This won't be reachable from the email route, so safe to expose the username
160 return array( array( 'noemail', $firstUser->getName() ) );
163 // We need to have a valid IP address for the hook, but per bug 18347, we should
164 // send the user's name if they're logged in.
167 return array( 'badipaddress' );
169 $caller = $this->getUser();
170 wfRunHooks( 'User::mailPasswordInternal', array( &$caller, &$ip, &$firstUser ) );
171 $username = $caller->getName();
172 $msg = IP
::isValid( $username )
173 ?
'passwordreset-emailtext-ip'
174 : 'passwordreset-emailtext-user';
176 $passwords = array();
177 foreach ( $users as $user ) {
178 $password = $user->randomPassword();
179 $user->setNewpassword( $password );
180 $user->saveSettings();
181 $passwords[] = wfMessage( 'passwordreset-emailelement', $user->getName(), $password );
183 $passwordBlock = implode( "\n\n", $passwords );
185 // Send in the user's language; which should hopefully be the same
186 $userLanguage = $firstUser->getOption( 'language' );
188 $body = wfMessage( $msg )->inLanguage( $userLanguage );
193 $wgServer . $wgScript,
194 round( $wgNewPasswordExpiry / 86400 )
197 $title = wfMessage( 'passwordreset-emailtitle' );
199 $result = $firstUser->sendMail( $title->text(), $body->text() );
201 if ( $result->isGood() ) {
204 // @todo FIXME: The email didn't send, but we have already set the password throttle
205 // timestamp, so they won't be able to try again until it expires... :(
206 return array( array( 'mailerror', $result->getMessage() ) );
210 public function onSuccess() {
211 $this->getOutput()->addWikiMsg( 'passwordreset-emailsent' );
212 $this->getOutput()->returnToMain();
215 function canChangePassword( User
$user ) {
216 global $wgPasswordResetRoutes, $wgAuth;
218 // Maybe password resets are disabled, or there are no allowable routes
219 if ( !is_array( $wgPasswordResetRoutes ) ||
220 !in_array( true, array_values( $wgPasswordResetRoutes ) ) ) {
221 return 'passwordreset-disabled';
224 // Maybe the external auth plugin won't allow local password changes
225 if ( !$wgAuth->allowPasswordChange() ) {
226 return 'resetpass_forbidden';
229 // Maybe the user is blocked (check this here rather than relying on the parent
230 // method as we have a more specific error message to use here
231 if ( $user->isBlocked() ) {
232 return 'blocked-mailpassword';
240 * Hide the password reset page if resets are disabled.
243 function isListed() {
246 if ( $this->canChangePassword( $wgUser ) === true ) {
247 return parent
::isListed();