http://www.mediawiki.org/wiki/Special:Code/MediaWiki/98029
Revision: 98029
Author: happy-melon
Date: 2011-09-24 21:11:41 +0000 (Sat, 24 Sep 2011)
Log Message:
-----------
(bug 30636) integrate the remaining functionality of the PasswordReset
extension into core, to make the fact that its Special:PasswordReset conflicts
(as of 1.18) with the new core special page of the same name no longer
relevant.
The extension just allows admins with the 'passwordreset' permission to
arbitrarily change other users' passwords, which is really scary. This core
change uses the same permission, but instead gives them the ability to view the
password reset email that would be sent to another user. So they can record
the temporary password, and give it to the user via a medium other than email;
but when the user logs in with it they will be forced to change it and the
admin will no longer know what it is.
It would be nice to log these viewing actions, but I'm not sure which log it
should go into, or whether it's worth creating a new one just for this (rare
and disabled-by-default) action.
Modified Paths:
--------------
trunk/phase3/includes/DefaultSettings.php
trunk/phase3/includes/specials/SpecialPasswordReset.php
trunk/phase3/languages/messages/MessagesEn.php
Modified: trunk/phase3/includes/DefaultSettings.php
===================================================================
--- trunk/phase3/includes/DefaultSettings.php 2011-09-24 21:10:08 UTC (rev
98028)
+++ trunk/phase3/includes/DefaultSettings.php 2011-09-24 21:11:41 UTC (rev
98029)
@@ -4804,7 +4804,7 @@
/**
* Authentication plugin.
- * @var AuthPlugin
+ * @var $wgAuth AuthPlugin
*/
$wgAuth = null;
Modified: trunk/phase3/includes/specials/SpecialPasswordReset.php
===================================================================
--- trunk/phase3/includes/specials/SpecialPasswordReset.php 2011-09-24
21:10:08 UTC (rev 98028)
+++ trunk/phase3/includes/specials/SpecialPasswordReset.php 2011-09-24
21:11:41 UTC (rev 98029)
@@ -28,6 +28,16 @@
*/
class SpecialPasswordReset extends FormSpecialPage {
+ /**
+ * @var Message
+ */
+ private $email;
+
+ /**
+ * @var Status
+ */
+ private $result;
+
public function __construct() {
parent::__construct( 'PasswordReset' );
}
@@ -69,6 +79,14 @@
);
}
+ if( $this->getUser()->isAllowed( 'passwordreset' ) ){
+ $a['Capture'] = array(
+ 'type' => 'check',
+ 'label-message' => 'passwordreset-capture',
+ 'help-message' => 'passwordreset-capture-help',
+ );
+ }
+
return $a;
}
@@ -109,6 +127,16 @@
}
}
+ if( isset( $data['Capture'] ) && !$this->getUser()->isAllowed(
'passwordreset' ) ){
+ // The user knows they don't have the passwordreset
permission, but they tried to spoof the form. That's naughty
+ throw new PermissionsError( 'passwordreset' );
+ }
+
+ /**
+ * @var $firstUser User
+ * @var $users User[]
+ */
+
if ( isset( $data['Username'] ) && $data['Username'] !== '' ) {
$method = 'username';
$users = array( User::newFromName( $data['Username'] )
);
@@ -199,15 +227,15 @@
$password = $user->randomPassword();
$user->setNewpassword( $password );
$user->saveSettings();
- $passwords[] = wfMessage( 'passwordreset-emailelement',
$user->getName(), $password );
+ $passwords[] = wfMessage( 'passwordreset-emailelement',
$user->getName(), $password )->plain(); // We'll escape the whole thing later
}
$passwordBlock = implode( "\n\n", $passwords );
// Send in the user's language; which should hopefully be the
same
$userLanguage = $firstUser->getOption( 'language' );
- $body = wfMessage( $msg )->inLanguage( $userLanguage );
- $body->params(
+ $this->email = wfMessage( $msg )->inLanguage( $userLanguage );
+ $this->email->params(
$username,
$passwordBlock,
count( $passwords ),
@@ -217,18 +245,38 @@
$title = wfMessage( 'passwordreset-emailtitle' );
- $result = $firstUser->sendMail( $title->text(), $body->text() );
+ $this->result = $firstUser->sendMail( $title->escaped(),
$this->email->escaped() );
- if ( $result->isGood() ) {
+ // Blank the email if the user is not supposed to see it
+ if( !isset( $data['Capture'] ) || !$data['Capture'] ) {
+ $this->email = null;
+ }
+
+ if ( $this->result->isGood() ) {
return true;
+ } elseif( isset( $data['Capture'] ) && $data['Capture'] ){
+ // The email didn't send, but maybe they knew that and
that's why they captured it
+ return true;
} else {
// @todo FIXME: The email didn't send, but we have
already set the password throttle
// timestamp, so they won't be able to try again until
it expires... :(
- return array( array( 'mailerror', $result->getMessage()
) );
+ return array( array( 'mailerror',
$this->result->getMessage() ) );
}
}
public function onSuccess() {
+ if( $this->getUser()->isAllowed( 'passwordreset' ) &&
$this->email != null ){
+ // @todo: Logging
+
+ if( $this->result->isGood() ){
+ $this->getOutput()->addWikiMsg(
'passwordreset-emailsent-capture' );
+ } else {
+ $this->getOutput()->addWikiMsg(
'passwordreset-emailerror-capture', $this->result->getMessage() );
+ }
+
+ $this->getOutput()->addHTML( Html::rawElement( 'pre',
array(), $this->email->escaped() ) );
+ }
+
$this->getOutput()->addWikiMsg( 'passwordreset-emailsent' );
$this->getOutput()->returnToMain();
}
Modified: trunk/phase3/languages/messages/MessagesEn.php
===================================================================
--- trunk/phase3/languages/messages/MessagesEn.php 2011-09-24 21:10:08 UTC
(rev 98028)
+++ trunk/phase3/languages/messages/MessagesEn.php 2011-09-24 21:11:41 UTC
(rev 98029)
@@ -1183,6 +1183,8 @@
'passwordreset-pretext' => '{{PLURAL:$1||Enter one of the pieces of
data below}}',
'passwordreset-username' => 'Username:',
'passwordreset-domain' => 'Domain:',
+'passwordreset-capture' => 'View the resulting email?',
+'passwordreset-capture-help' => 'If you check this box, the email (with the
temporary password) will be shown to you as well as being sent to the user.',
'passwordreset-email' => 'E-mail address:',
'passwordreset-emailtitle' => 'Account details on {{SITENAME}}',
'passwordreset-emailtext-ip' => 'Someone (probably you, from IP address $1)
requested a reminder of your
@@ -1209,6 +1211,8 @@
'passwordreset-emailelement' => 'Username: $1
Temporary password: $2',
'passwordreset-emailsent' => 'A reminder e-mail has been sent.',
+'passwordreset-emailsent-capture' => 'A reminder e-mail has been sent, which
is shown below.',
+'passwordreset-emailerror-capture' => 'A reminder e-mail was generated, which
is shown below, but sending it to the user failed: $1',
# Special:ChangeEmail
'changeemail' => 'Change E-mail address',
@@ -1980,6 +1984,7 @@
'right-siteadmin' => 'Lock and unlock the database',
'right-override-export-depth' => 'Export pages including linked pages up to a
depth of 5',
'right-sendemail' => 'Send e-mail to other users',
+'right-passwordreset' => 'View password reset emails',
# User rights log
'rightslog' => 'User rights log',
_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
