CSteipp has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/224658

Change subject: Add "purpose" to password validity check
......................................................................

Add "purpose" to password validity check

Allow callers to specify why they are checking a passwords validity, so
some checks can be modified. Only check the default policy on creation,
since the account doesn't exist it's not a member of any groups.

Bug: T104615
Change-Id: I56b66002562aaa1493d94a90309bc8e4ae3841c8
---
M docs/hooks.txt
M includes/User.php
M includes/installer/WebInstallerPage.php
M includes/password/UserPasswordPolicy.php
M includes/specials/SpecialUserlogin.php
5 files changed, 26 insertions(+), 23 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/58/224658/1

diff --git a/docs/hooks.txt b/docs/hooks.txt
index 23df983..2fd815e6 100644
--- a/docs/hooks.txt
+++ b/docs/hooks.txt
@@ -2313,6 +2313,8 @@
 'PasswordPoliciesForUser': Alter the effective password policy for a user.
 $user: User object whose policy you are modifying
 &$effectivePolicy: Array of policy statements that apply to this user
+$purpose: string indicating purpose of the check, one of 'login', 'create',
+  or 'reset'
 
 'PerformRetroactiveAutoblock': Called before a retroactive autoblock is applied
 to a user.
diff --git a/includes/User.php b/includes/User.php
index 772330b..b70eee3 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -838,10 +838,11 @@
         * able to set their password to this.
         *
         * @param string $password Desired password
+        * @param string $purpose one of 'login', 'create', 'reset'
         * @return Status
         * @since 1.23
         */
-       public function checkPasswordValidity( $password ) {
+       public function checkPasswordValidity( $password, $purpose = 'login' ) {
                global $wgPasswordPolicy;
 
                $upp = new UserPasswordPolicy(
@@ -858,7 +859,7 @@
                }
 
                if ( $result === false ) {
-                       $status->merge( $upp->checkUserPassword( $this, 
$password ) );
+                       $status->merge( $upp->checkUserPassword( $this, 
$password, $purpose ) );
                        return $status;
                } elseif ( $result === true ) {
                        return $status;
diff --git a/includes/installer/WebInstallerPage.php 
b/includes/installer/WebInstallerPage.php
index 9aa6960..f7910ba 100644
--- a/includes/installer/WebInstallerPage.php
+++ b/includes/installer/WebInstallerPage.php
@@ -911,16 +911,8 @@
                $pwd = $this->getVar( '_AdminPassword' );
                $user = User::newFromName( $cname );
                if ( $user ) {
-                       $upp = new UserPasswordPolicy(
-                               $wgPasswordPolicy['policies'],
-                               $wgPasswordPolicy['checks']
-                       );
-                       $status = $upp->checkUserPasswordForGroups(
-                               $user,
-                               $pwd,
-                               array( 'sysop', 'bureaucrat' )
-                       );
-                       $valid = $status->isGood();
+                       $status = $user->checkPasswordValidity( $pwd, 'create' 
);
+                       $valid = $status->isGood() ? true : 
$status->getMessage()->escaped();
                } else {
                        $valid = 'config-admin-name-invalid';
                }
diff --git a/includes/password/UserPasswordPolicy.php 
b/includes/password/UserPasswordPolicy.php
index 70757ac..80dc669 100644
--- a/includes/password/UserPasswordPolicy.php
+++ b/includes/password/UserPasswordPolicy.php
@@ -67,11 +67,12 @@
         * Check if a passwords meets the effective password policy for a User.
         * @param User $user who's policy we are checking
         * @param string $password the password to check
+        * @param string $purpose one of 'login', 'create', 'reset'
         * @return Status error to indicate the password didn't meet the 
policy, or fatal to
         *      indicate the user shouldn't be allowed to login.
         */
-       public function checkUserPassword( User $user, $password ) {
-               $effectivePolicy = $this->getPoliciesForUser( $user );
+       public function checkUserPassword( User $user, $password, $purpose = 
'login' ) {
+               $effectivePolicy = $this->getPoliciesForUser( $user, $purpose );
                return $this->checkPolicies(
                        $user,
                        $password,
@@ -126,16 +127,20 @@
         * Get the policy for a user, based on their group membership. Public so
         * UI elements can access and inform the user.
         * @param User $user
+        * @param string $purpose one of 'login', 'create', 'reset'
         * @return array the effective policy for $user
         */
-       public function getPoliciesForUser( User $user ) {
-               $effectivePolicy = self::getPoliciesForGroups(
-                       $this->policies,
-                       $user->getEffectiveGroups(),
-                       $this->policies['default']
-               );
+       public function getPoliciesForUser( User $user, $purpose = 'login' ) {
+               $effectivePolicy = $this->policies['default'];
+               if ( $purpose !== 'create' ) {
+                       $effectivePolicy = self::getPoliciesForGroups(
+                               $this->policies,
+                               $user->getEffectiveGroups(),
+                               $this->policies['default']
+                       );
+               }
 
-               Hooks::run( 'PasswordPoliciesForUser', array( $user, 
&$effectivePolicy ) );
+               Hooks::run( 'PasswordPoliciesForUser', array( $user, 
&$effectivePolicy, $purpose ) );
 
                return $effectivePolicy;
        }
diff --git a/includes/specials/SpecialUserlogin.php 
b/includes/specials/SpecialUserlogin.php
index aa51415..4ca07fe 100644
--- a/includes/specials/SpecialUserlogin.php
+++ b/includes/specials/SpecialUserlogin.php
@@ -545,7 +545,7 @@
                        }
 
                        # check for password validity, return a fatal Status if 
invalid
-                       $validity = $u->checkPasswordValidity( $this->mPassword 
);
+                       $validity = $u->checkPasswordValidity( 
$this->mPassword, 'create' );
                        if ( !$validity->isGood() ) {
                                $validity->ok = false; // make sure this Status 
is fatal
                                return $validity;
@@ -948,7 +948,10 @@
                                        } elseif ( $wgInvalidPasswordReset
                                                && !$user->isValidPassword( 
$this->mPassword )
                                        ) {
-                                               $status = 
$user->checkPasswordValidity( $this->mPassword );
+                                               $status = 
$user->checkPasswordValidity(
+                                                       $this->mPassword,
+                                                       'login'
+                                               );
                                                $this->resetLoginForm(
                                                        $status->getMessage( 
'resetpass-validity-soft' )
                                                );

-- 
To view, visit https://gerrit.wikimedia.org/r/224658
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I56b66002562aaa1493d94a90309bc8e4ae3841c8
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: CSteipp <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to