Why:
* When temporary accounts are disabled, no new temporary
accounts should be created either on edit or through
a CentralAuth autocreation.
* UserNameUtils::isUsable is used to prevent the
CentralAuth autocreation making the temporary account
username not usable for login or account creation.
* However, this check to determine if the name is
reserved by the temporary user system still considers
the name as a valid temporary account if the system
was once enabled (but since disabled).
* This is a bug, and instead if the feature is disabled
the username should be considered unusable. This then
prevents the CentralAuth autocreation on a wiki which
knows the feature but has it disabled.
What:
* Update UserNameUtils::isUsable to return false if
the name is reserved by the temporary user system
and TempUserConfig::isEnabled returns false.
* Test this new behaviour with a unit test.
Bug: T370513
Change-Id: I467c39538796a660a7417397c99928a1a25007bc
* As a hardening measure, add a couple different types
of IP range validation to UserNameUtils::isValid. Such
username patterns are often blocked on Wikimedia wikis
via Title_blacklist, but not every MediaWiki operator
has implemented such validationi, and it is trivial to
just add this to core.
Bug: T358535
Change-Id: Ib05bcc8568ad4158b97a5073ccc47baeb304bec1
If a username matches $wgAutoCreateTempUser['reservedPattern'], but the
username is not a valid temp user, return false from
UserNameUtils::isUsable().
This makes reserved patterns analogous to $wgReservedUsernames, and
provides a simple way to reject central sessions for temp users on wikis
where temp users are disabled.
Bug: T342475
Change-Id: I1d7f843e71e605fccf3de93fd145ff43e396619f
Just methods where adding "static" to the declaration was enough, I
didn't do anything with providers that used $this.
Initially by search and replace. There were many mistakes which I
found mostly by running the PHPStorm inspection which searches for
$this usage in a static method. Later I used the PHPStorm "make static"
action which avoids the more obvious mistakes.
Bug: T332865
Change-Id: I47ed6692945607dfa5c139d42edbd934fa4f3a36
When creating ServiceOptions objects or fake HashConfigs use the
constant to refer the config name
Change-Id: I59a29f25b76e896c07e82156c6cc4494f98e64cc
Add services and utilities for automatic creation of temporary user
accounts on page save, in order to avoid exposing the user's IP
address.
* Add $wgAutoCreateTempUser, for configuring the system
* Add TempUserConfig service, which interprets the config.
* Add TempUserCreator service, which creates users during page save as
requested by EditPage. With proxy methods to TempUserConfig for
convenience.
* Add table user_autocreate_serial. Table creation is necessary before
the feature is enabled but is not necessary before deployment of this
commit.
Bug: T300263
Change-Id: Ib14a352490fc42039106523118e8d021844e3dfb
Conventionally, public constants are accessed via their declaring
class, except for self:: which is an acceptable shortcut.
Change-Id: If05eab72140267e6ef54736710d751d7f24a7860
Username with namespace prefix is not valid username. It's neither
creatable nor usable.
If the rigor validation passed to getCanonical() is not RIGOR_NONE,
this namespace prefix will always be removed by TitleParser.
We will now remove it even if the validation rigor is RIGOR_NONE
since the prefix can never appear in legal username, and its presence
will cause issues later even if the strict validation is not requested.
The validation is turned off usually when it's not known whether the
username is IP address or not, as is the case for T283915.
Bug: T283915
Change-Id: I34aa1d257f8bd90c80f40a76190a756d1e93e254
Merge as another case in provideGetCanonical now that we don't
need separate configuration because 'interwiki' is configured as an
interwiki prefix for all of the tests.
Follow-up: I3b54909e33e69fea8bb5ec55c99848c196859185
Change-Id: I5cc358be8a4f037d4bf336aeecc6fa1b157aeeb6
Allows us to reduce direct mocking in individual tests, or relying
on MediaWikiServices, by having a reusable service instead that
can be used in unit tests.
Make use of it in a few places.
This dummy service is also less coupled to individual tests;
in the rest handler tests, replacing mocks that report that
only a specific string is an ip address with the actual implementation
that accepts other ip address, and in BlockUtilsTest use
an actually invalid user name instead of making the mock
UserNameUtils complain about a perfectly valid name.
Change-Id: Iaa3195002ac4ae7e0c9c58ed57c80c02762d4070
MediaWikiTitleCodec can throw MalformedTitleException,
which cannot be created in unit tests (see T281935). Until
that changes, add a helper callback
MediaWikiTitleCodec::$createMalformedTitleException
that will by default return a MalformedTitleException, but
tests can override this to return a mock.
We add this as an option to DummyServicesTrait to throw
generic `MalformedTitleException`s without regard to the
specifics of the message or parameters provided, this
can be used if no finer control is needed, or callers
can manually change the callback.
Demonstrate using it by moving the tests for UserNameUtils
to be unit tests - the only thing blocking this was the
creation of `MalformedTitleException`s.
Change-Id: I11ae4c6292465626ad1e432f7c6e9754c8ef36c2
2021-07-27 11:27:56 +00:00
Renamed from tests/phpunit/includes/user/UserNameUtilsTest.php (Browse further)
