jenkins-bot has submitted this change and it was merged. Change subject: Reject authentication data change when there are warnings ......................................................................
Reject authentication data change when there are warnings AuthManager uses a status which is OK but not good for authentication data which is discouraged but still accepted for authentication. Users should not be allowed to change credentials into such invalid state. This change brings the web logic and the AuthPlugin fallback in sync with the API which already used the stricter check. Change-Id: I4ff54fcc901f6fe11f15ed60fc1a3d8753de9f6c (cherry picked from commit d850025e603fc6f2bec3a80cdd17c027d8813341) --- M includes/Preferences.php M includes/auth/AuthManagerAuthPlugin.php M includes/specialpage/AuthManagerSpecialPage.php M includes/user/User.php 4 files changed, 4 insertions(+), 4 deletions(-) Approvals: Gergő Tisza: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/Preferences.php b/includes/Preferences.php index 9a55ae3..3083a8d 100644 --- a/includes/Preferences.php +++ b/includes/Preferences.php @@ -296,7 +296,7 @@ $allowPasswordChange = $wgDisableAuthManager ? $wgAuth->allowPasswordChange() : AuthManager::singleton()->allowsAuthenticationDataChange( - new PasswordAuthenticationRequest(), false ); + new PasswordAuthenticationRequest(), false )->isGood(); if ( $canEditPrivateInfo && $allowPasswordChange ) { $link = Linker::link( SpecialPage::getTitleFor( 'ChangePassword' ), $context->msg( 'prefs-resetpass' )->escaped(), [], diff --git a/includes/auth/AuthManagerAuthPlugin.php b/includes/auth/AuthManagerAuthPlugin.php index bf1e021..8d85b44 100644 --- a/includes/auth/AuthManagerAuthPlugin.php +++ b/includes/auth/AuthManagerAuthPlugin.php @@ -131,7 +131,7 @@ $reqs = AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data ); foreach ( $reqs as $req ) { $status = AuthManager::singleton()->allowsAuthenticationDataChange( $req ); - if ( !$status->isOk() ) { + if ( !$status->isGood() ) { $this->logger->info( __METHOD__ . ': Password change rejected: {reason}', [ 'username' => $data['username'], 'reason' => $status->getWikiText( null, null, 'en' ), diff --git a/includes/specialpage/AuthManagerSpecialPage.php b/includes/specialpage/AuthManagerSpecialPage.php index 7866c12..41380f0 100644 --- a/includes/specialpage/AuthManagerSpecialPage.php +++ b/includes/specialpage/AuthManagerSpecialPage.php @@ -375,7 +375,7 @@ $req = reset( $requests ); $status = $authManager->allowsAuthenticationDataChange( $req ); Hooks::run( 'ChangeAuthenticationDataAudit', [ $req, $status ] ); - if ( !$status->isOK() ) { + if ( !$status->isGood() ) { return AuthenticationResponse::newFail( $status->getMessage() ); } $authManager->changeAuthenticationData( $req ); diff --git a/includes/user/User.php b/includes/user/User.php index 9e50f36..8ecf468 100644 --- a/includes/user/User.php +++ b/includes/user/User.php @@ -2569,7 +2569,7 @@ $reqs = AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data ); foreach ( $reqs as $req ) { $status = $manager->allowsAuthenticationDataChange( $req ); - if ( !$status->isOk() ) { + if ( !$status->isGood() ) { \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' ) ->info( __METHOD__ . ': Password change rejected: ' . $status->getWikiText() ); return false; -- To view, visit https://gerrit.wikimedia.org/r/293230 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I4ff54fcc901f6fe11f15ed60fc1a3d8753de9f6c Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: wmf/1.28.0-wmf.5 Gerrit-Owner: Gergő Tisza <gti...@wikimedia.org> Gerrit-Reviewer: Anomie <bjor...@wikimedia.org> Gerrit-Reviewer: Gergő Tisza <gti...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits