diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 4a89ea8b0d1..b9dacbf44dc 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -4804,7 +4804,7 @@ $wgExtensionCredits = array(); /** * Authentication plugin. - * @var AuthPlugin + * @var $wgAuth AuthPlugin */ $wgAuth = null; diff --git a/includes/specials/SpecialPasswordReset.php b/includes/specials/SpecialPasswordReset.php index f8df8314fe2..b07ef80f702 100644 --- a/includes/specials/SpecialPasswordReset.php +++ b/includes/specials/SpecialPasswordReset.php @@ -28,6 +28,16 @@ */ class SpecialPasswordReset extends FormSpecialPage { + /** + * @var Message + */ + private $email; + + /** + * @var Status + */ + private $result; + public function __construct() { parent::__construct( 'PasswordReset' ); } @@ -69,6 +79,14 @@ class SpecialPasswordReset extends FormSpecialPage { ); } + if( $this->getUser()->isAllowed( 'passwordreset' ) ){ + $a['Capture'] = array( + 'type' => 'check', + 'label-message' => 'passwordreset-capture', + 'help-message' => 'passwordreset-capture-help', + ); + } + return $a; } @@ -109,6 +127,16 @@ class SpecialPasswordReset extends FormSpecialPage { } } + if( isset( $data['Capture'] ) && !$this->getUser()->isAllowed( 'passwordreset' ) ){ + // The user knows they don't have the passwordreset permission, but they tried to spoof the form. That's naughty + throw new PermissionsError( 'passwordreset' ); + } + + /** + * @var $firstUser User + * @var $users User[] + */ + if ( isset( $data['Username'] ) && $data['Username'] !== '' ) { $method = 'username'; $users = array( User::newFromName( $data['Username'] ) ); @@ -199,15 +227,15 @@ class SpecialPasswordReset extends FormSpecialPage { $password = $user->randomPassword(); $user->setNewpassword( $password ); $user->saveSettings(); - $passwords[] = wfMessage( 'passwordreset-emailelement', $user->getName(), $password ); + $passwords[] = wfMessage( 'passwordreset-emailelement', $user->getName(), $password )->plain(); // We'll escape the whole thing later } $passwordBlock = implode( "\n\n", $passwords ); // Send in the user's language; which should hopefully be the same $userLanguage = $firstUser->getOption( 'language' ); - $body = wfMessage( $msg )->inLanguage( $userLanguage ); - $body->params( + $this->email = wfMessage( $msg )->inLanguage( $userLanguage ); + $this->email->params( $username, $passwordBlock, count( $passwords ), @@ -217,18 +245,38 @@ class SpecialPasswordReset extends FormSpecialPage { $title = wfMessage( 'passwordreset-emailtitle' ); - $result = $firstUser->sendMail( $title->text(), $body->text() ); + $this->result = $firstUser->sendMail( $title->escaped(), $this->email->escaped() ); - if ( $result->isGood() ) { + // Blank the email if the user is not supposed to see it + if( !isset( $data['Capture'] ) || !$data['Capture'] ) { + $this->email = null; + } + + if ( $this->result->isGood() ) { + return true; + } elseif( isset( $data['Capture'] ) && $data['Capture'] ){ + // The email didn't send, but maybe they knew that and that's why they captured it return true; } else { // @todo FIXME: The email didn't send, but we have already set the password throttle // timestamp, so they won't be able to try again until it expires... :( - return array( array( 'mailerror', $result->getMessage() ) ); + return array( array( 'mailerror', $this->result->getMessage() ) ); } } public function onSuccess() { + if( $this->getUser()->isAllowed( 'passwordreset' ) && $this->email != null ){ + // @todo: Logging + + if( $this->result->isGood() ){ + $this->getOutput()->addWikiMsg( 'passwordreset-emailsent-capture' ); + } else { + $this->getOutput()->addWikiMsg( 'passwordreset-emailerror-capture', $this->result->getMessage() ); + } + + $this->getOutput()->addHTML( Html::rawElement( 'pre', array(), $this->email->escaped() ) ); + } + $this->getOutput()->addWikiMsg( 'passwordreset-emailsent' ); $this->getOutput()->returnToMain(); } diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index 7f6a5f0630a..8d53be93be3 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -1183,6 +1183,8 @@ You may have already successfully changed your password or requested a new tempo 'passwordreset-pretext' => '{{PLURAL:$1||Enter one of the pieces of data below}}', 'passwordreset-username' => 'Username:', 'passwordreset-domain' => 'Domain:', +'passwordreset-capture' => 'View the resulting email?', +'passwordreset-capture-help' => 'If you check this box, the email (with the temporary password) will be shown to you as well as being sent to the user.', 'passwordreset-email' => 'E-mail address:', 'passwordreset-emailtitle' => 'Account details on {{SITENAME}}', 'passwordreset-emailtext-ip' => 'Someone (probably you, from IP address $1) requested a reminder of your @@ -1209,6 +1211,8 @@ password.', 'passwordreset-emailelement' => 'Username: $1 Temporary password: $2', 'passwordreset-emailsent' => 'A reminder e-mail has been sent.', +'passwordreset-emailsent-capture' => 'A reminder e-mail has been sent, which is shown below.', +'passwordreset-emailerror-capture' => 'A reminder e-mail was generated, which is shown below, but sending it to the user failed: $1', # Special:ChangeEmail 'changeemail' => 'Change E-mail address', @@ -1980,6 +1984,7 @@ Your e-mail address is not revealed when other users contact you.', 'right-siteadmin' => 'Lock and unlock the database', 'right-override-export-depth' => 'Export pages including linked pages up to a depth of 5', 'right-sendemail' => 'Send e-mail to other users', +'right-passwordreset' => 'View password reset emails', # User rights log 'rightslog' => 'User rights log',