2b19a410f0
Why: * Special:PasswordReset allows users to send an email containing a temporary password to the email address attached to an account. * Temporary accounts do not have passwords and cannot have an email address set (as they cannot access Special:Preferences). * Therefore, Special:PasswordReset does not provide holders of temporary accounts a way to get access back into the temporary account if they loose access. * However, the form currently accepts temporary account usernames and we should update the functionality to reject such usernames. What: * Update SpecialPasswordReset to reject temporary account usernames. * Expand tests for SpecialPasswordReset to check this fix has worked. Bug: T380085 Change-Id: I004453d4d16cd2a0448ac3922e4d13c24a158c8d (cherry picked from commit e27be818690820c0df227cb06206da499eb94d38)
206 lines
5.7 KiB
PHP
206 lines
5.7 KiB
PHP
<?php
|
|
/**
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
* http://www.gnu.org/copyleft/gpl.html
|
|
*
|
|
* @file
|
|
*/
|
|
|
|
namespace MediaWiki\Specials;
|
|
|
|
use ErrorPageError;
|
|
use MediaWiki\HTMLForm\HTMLForm;
|
|
use MediaWiki\MainConfigNames;
|
|
use MediaWiki\SpecialPage\FormSpecialPage;
|
|
use MediaWiki\Status\Status;
|
|
use MediaWiki\User\PasswordReset;
|
|
use MediaWiki\User\User;
|
|
use ThrottledError;
|
|
|
|
/**
|
|
* Special page for requesting a password reset email.
|
|
*
|
|
* Requires the TemporaryPasswordPrimaryAuthenticationProvider and the
|
|
* EmailNotificationSecondaryAuthenticationProvider (or something providing equivalent
|
|
* functionality) to be enabled.
|
|
*
|
|
* @ingroup SpecialPage
|
|
*/
|
|
class SpecialPasswordReset extends FormSpecialPage {
|
|
private PasswordReset $passwordReset;
|
|
|
|
/**
|
|
* @param PasswordReset $passwordReset
|
|
*/
|
|
public function __construct( PasswordReset $passwordReset ) {
|
|
parent::__construct( 'PasswordReset', 'editmyprivateinfo' );
|
|
|
|
$this->passwordReset = $passwordReset;
|
|
}
|
|
|
|
public function doesWrites() {
|
|
return true;
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
public function userCanExecute( User $user ) {
|
|
return $this->passwordReset->isAllowed( $user )->isGood();
|
|
}
|
|
|
|
public function checkExecutePermissions( User $user ) {
|
|
$status = Status::wrap( $this->passwordReset->isAllowed( $user ) );
|
|
if ( !$status->isGood() ) {
|
|
throw new ErrorPageError( 'internalerror', $status->getMessage() );
|
|
}
|
|
|
|
parent::checkExecutePermissions( $user );
|
|
}
|
|
|
|
/**
|
|
* @param string|null $par
|
|
*/
|
|
public function execute( $par ) {
|
|
$out = $this->getOutput();
|
|
$out->disallowUserJs();
|
|
parent::execute( $par );
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
protected function getFormFields() {
|
|
$resetRoutes = $this->getConfig()->get( MainConfigNames::PasswordResetRoutes );
|
|
$a = [];
|
|
if ( isset( $resetRoutes['username'] ) && $resetRoutes['username'] ) {
|
|
$a['Username'] = [
|
|
'type' => 'user',
|
|
'default' => $this->getRequest()->getSession()->suggestLoginUsername(),
|
|
'label-message' => 'passwordreset-username',
|
|
'excludetemp' => true,
|
|
];
|
|
|
|
if ( $this->getUser()->isRegistered() ) {
|
|
$a['Username']['default'] = $this->getUser()->getName();
|
|
}
|
|
}
|
|
|
|
if ( isset( $resetRoutes['email'] ) && $resetRoutes['email'] ) {
|
|
$a['Email'] = [
|
|
'type' => 'email',
|
|
'label-message' => 'passwordreset-email',
|
|
];
|
|
}
|
|
|
|
return $a;
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
protected function getDisplayFormat() {
|
|
return 'ooui';
|
|
}
|
|
|
|
public function alterForm( HTMLForm $form ) {
|
|
$resetRoutes = $this->getConfig()->get( MainConfigNames::PasswordResetRoutes );
|
|
|
|
$form->setSubmitDestructive();
|
|
|
|
$form->addHiddenFields( $this->getRequest()->getValues( 'returnto', 'returntoquery' ) );
|
|
|
|
$i = 0;
|
|
if ( isset( $resetRoutes['username'] ) && $resetRoutes['username'] ) {
|
|
$i++;
|
|
}
|
|
if ( isset( $resetRoutes['email'] ) && $resetRoutes['email'] ) {
|
|
$i++;
|
|
}
|
|
|
|
$message = ( $i > 1 ) ? 'passwordreset-text-many' : 'passwordreset-text-one';
|
|
|
|
$form->setHeaderHtml( $this->msg( $message, $i )->parseAsBlock() );
|
|
$form->setSubmitTextMsg( 'mailmypassword' );
|
|
}
|
|
|
|
/**
|
|
* Process the form.
|
|
* At this point, we know that the user passes all the criteria in
|
|
* userCanExecute(), and if the data array contains 'Username', etc., then Username
|
|
* resets are allowed.
|
|
* @param array $data
|
|
* @return Status
|
|
*/
|
|
public function onSubmit( array $data ) {
|
|
$username = $data['Username'] ?? null;
|
|
$email = $data['Email'] ?? null;
|
|
|
|
$result = Status::wrap(
|
|
$this->passwordReset->execute( $this->getUser(), $username, $email ) );
|
|
|
|
if ( $result->hasMessage( 'actionthrottledtext' ) ) {
|
|
throw new ThrottledError;
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
|
|
/**
|
|
* Show a message on the successful processing of the form.
|
|
* This doesn't necessarily mean a reset email was sent.
|
|
*/
|
|
public function onSuccess() {
|
|
$output = $this->getOutput();
|
|
|
|
// Information messages.
|
|
$output->addWikiMsg( 'passwordreset-success' );
|
|
$output->addWikiMsg( 'passwordreset-success-details-generic',
|
|
$this->getConfig()->get( MainConfigNames::PasswordReminderResendTime ) );
|
|
|
|
// Confirmation of what the user has just submitted.
|
|
$info = "\n";
|
|
$postVals = $this->getRequest()->getPostValues();
|
|
if ( isset( $postVals['wpUsername'] ) && $postVals['wpUsername'] !== '' ) {
|
|
$info .= "* " . $this->msg( 'passwordreset-username' ) . ' '
|
|
. wfEscapeWikiText( $postVals['wpUsername'] ) . "\n";
|
|
}
|
|
if ( isset( $postVals['wpEmail'] ) && $postVals['wpEmail'] !== '' ) {
|
|
$info .= "* " . $this->msg( 'passwordreset-email' ) . ' '
|
|
. wfEscapeWikiText( $postVals['wpEmail'] ) . "\n";
|
|
}
|
|
$output->addWikiMsg( 'passwordreset-success-info', $info );
|
|
|
|
// Add a return to link to the main page.
|
|
$output->returnToMain();
|
|
}
|
|
|
|
/**
|
|
* Hide the password reset page if resets are disabled.
|
|
* @return bool
|
|
*/
|
|
public function isListed() {
|
|
if ( !$this->passwordReset->isEnabled()->isGood() ) {
|
|
return false;
|
|
}
|
|
|
|
return parent::isListed();
|
|
}
|
|
|
|
/** @inheritDoc */
|
|
protected function getGroupName() {
|
|
return 'login';
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Retain the old class name for backwards compatibility.
|
|
* @deprecated since 1.41
|
|
*/
|
|
class_alias( SpecialPasswordReset::class, 'SpecialPasswordReset' );
|