jenkins-bot has submitted this change and it was merged. Change subject: Allow login with passwords not meeting complexity requirements ......................................................................
Allow login with passwords not meeting complexity requirements As part of https://www.mediawiki.org/wiki/Requests_for_comment/Passwords This patch: * Allows users to login with a password that does not meet the requirements of User::isValidPassword(), including the minimum password length. * Adds a configuration flag that specifies if users should be sent to the change password form when they login with a password that doesn't meet the requirements of User::isValidPassword(). To test the UX as it will be on WMF wikis, set $wgMinimalPasswordLength=6 in your LocalSettings.php. Change-Id: Ib7b72005fea1c69073c0a33a68c0a0df0d6528d2 --- M includes/DefaultSettings.php M includes/User.php M includes/specials/SpecialUserlogin.php M languages/messages/MessagesEn.php M languages/messages/MessagesQqq.php M maintenance/language/messages.inc 6 files changed, 25 insertions(+), 7 deletions(-) Approvals: Aaron Schulz: Looks good to me, approved Siebrand: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 50db6c7..c6ebb35 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3978,6 +3978,13 @@ $wgMinimalPasswordLength = 1; /** + * Specifies if users should be sent to a password-reset form on login, if their + * password doesn't meet the requirements of User::isValidPassword(). + * @since 1.23 + */ +$wgInvalidPasswordReset = true; + +/** * Whether to allow password resets ("enter some identifying data, and we'll send an email * with a temporary password you can use to get back into the account") identified by * various bits of data. Setting all of these to false (or the whole variable to false) diff --git a/includes/User.php b/includes/User.php index 9b47acf..a897d21 100644 --- a/includes/User.php +++ b/includes/User.php @@ -3722,14 +3722,9 @@ global $wgAuth, $wgLegacyEncoding; $this->load(); - // Even though we stop people from creating passwords that - // are shorter than this, doesn't mean people wont be able - // to. Certain authentication plugins do NOT want to save + // Certain authentication plugins do NOT want to save // domain passwords in a mysql database, so we should // check this (in case $wgAuth->strict() is false). - if ( !$this->isValidPassword( $password ) ) { - return false; - } if ( $wgAuth->authenticate( $this->getName(), $password ) ) { return true; diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php index 69013b0..1c9fed7 100644 --- a/includes/specials/SpecialUserlogin.php +++ b/includes/specials/SpecialUserlogin.php @@ -767,7 +767,8 @@ } function processLogin() { - global $wgMemc, $wgLang, $wgSecureLogin, $wgPasswordAttemptThrottle; + global $wgMemc, $wgLang, $wgSecureLogin, $wgPasswordAttemptThrottle, + $wgInvalidPasswordReset; switch ( $this->authenticateUserData() ) { case self::SUCCESS: @@ -808,6 +809,13 @@ $this->renewSessionId(); if ( $this->getUser()->getPasswordExpired() == 'soft' ) { $this->resetLoginForm( $this->msg( 'resetpass-expired-soft' ) ); + } elseif ( $wgInvalidPasswordReset + && !$user->isValidPassword( $this->mPassword ) + ) { + $status = $user->checkPasswordValidity( $this->mPassword ); + $this->resetLoginForm( + $status->getMessage( 'resetpass-validity-soft' ) + ); } else { $this->successfulLogin(); } diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index f1725a3..d37d7b0 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -1289,6 +1289,9 @@ 'resetpass-abort-generic' => 'Password change has been aborted by an extension.', 'resetpass-expired' => 'Your password has expired. Please set a new password to log in.', 'resetpass-expired-soft' => 'Your password has expired and needs to be reset. Please choose a new password now, or click "{{int:resetpass-submit-cancel}}" to reset it later.', +'resetpass-validity-soft' => 'Your password is not valid: $1 + +Please choose a new password now, or click "{{int:resetpass-submit-cancel}}" to reset it later.', # Special:PasswordReset 'passwordreset' => 'Reset password', diff --git a/languages/messages/MessagesQqq.php b/languages/messages/MessagesQqq.php index a5e12d0..938f369 100644 --- a/languages/messages/MessagesQqq.php +++ b/languages/messages/MessagesQqq.php @@ -1647,6 +1647,10 @@ 'resetpass-abort-generic' => 'Generic error message shown on [[Special:ChangePassword]] when an extension aborts a password change from a hook.', 'resetpass-expired' => "Generic error message shown on [[Special:ChangePassword]] when a user's password is expired", 'resetpass-expired-soft' => 'Generic warning message shown on [[Special:ChangePassword]] when a user needs to reset their password, but they are not prevented from logging in at this time', +'resetpass-validity-soft' => 'Warning message shown on [[Special:ChangePassword]] when a user needs to reset their password, because their password is not valid. + +Parameters: +* $1 - error message', # Special:PasswordReset 'passwordreset' => 'Title of [[Special:PasswordReset]]. diff --git a/maintenance/language/messages.inc b/maintenance/language/messages.inc index d4fdfee..e315357 100644 --- a/maintenance/language/messages.inc +++ b/maintenance/language/messages.inc @@ -592,6 +592,7 @@ 'resetpass-abort-generic', 'resetpass-expired', 'resetpass-expired-soft', + 'resetpass-validity-soft', ), 'passwordreset' => array( 'passwordreset', -- To view, visit https://gerrit.wikimedia.org/r/117635 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ib7b72005fea1c69073c0a33a68c0a0df0d6528d2 Gerrit-PatchSet: 7 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: CSteipp <cste...@wikimedia.org> Gerrit-Reviewer: Aaron Schulz <asch...@wikimedia.org> Gerrit-Reviewer: Aude <aude.w...@gmail.com> Gerrit-Reviewer: Brion VIBBER <br...@wikimedia.org> Gerrit-Reviewer: CSteipp <cste...@wikimedia.org> Gerrit-Reviewer: Hoo man <h...@online.de> Gerrit-Reviewer: JGonera <jgon...@wikimedia.org> Gerrit-Reviewer: Jdlrobson <jrob...@wikimedia.org> Gerrit-Reviewer: MZMcBride <w...@mzmcbride.com> Gerrit-Reviewer: Mattflaschen <mflasc...@wikimedia.org> Gerrit-Reviewer: MaxSem <maxsem.w...@gmail.com> Gerrit-Reviewer: Nikerabbit <niklas.laxst...@gmail.com> Gerrit-Reviewer: Parent5446 <tylerro...@gmail.com> Gerrit-Reviewer: Siebrand <siebr...@kitano.nl> Gerrit-Reviewer: Swalling <swall...@wikimedia.org> Gerrit-Reviewer: Tim Starling <tstarl...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
