Skizzerz has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/391992 )
Change subject: Local acct bypass, workaround mw bug, userrights import config
......................................................................
Local acct bypass, workaround mw bug, userrights import config
Add a new userright mwa-createlocalaccount to create an account locally
without importing it from the remote wiki. Otherwise, existence checks
block local account creation with same usernames.
Add 2 new config options:
* $wgMediaWikiAuthAllowPasswordChange defaults false; if true it prompts
the user to change their password (or skip) after importing their
account. There appears to be a bug in MediaWiki where if this screen is
skipped entirely (rather than entering a new pw or choosing skip
button), the account creation partially fails and the user can no longer
log into their account until they reset their password.
* $wgMediaWikiAuthImportGroups defaults to true. It can be a boolean or
array of group names. If true, it imports all group memberships from the
foreign wiki. If false, it does not import any group memberships. If an
array, it only imports those specific groups (assuming they exist on
both sides).
Change-Id: I2e6cfe72b13c8ce5da63b3e9c0fb273b0ff33c26
---
M ExternalWikiPrimaryAuthenticationProvider.php
M extension.json
M i18n/en.json
M i18n/qqq.json
4 files changed, 31 insertions(+), 6 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/MediaWikiAuth
refs/changes/92/391992/1
diff --git a/ExternalWikiPrimaryAuthenticationProvider.php
b/ExternalWikiPrimaryAuthenticationProvider.php
index c8fd679..e34ab6f 100644
--- a/ExternalWikiPrimaryAuthenticationProvider.php
+++ b/ExternalWikiPrimaryAuthenticationProvider.php
@@ -123,7 +123,9 @@
// Remote login was successful, an account will be
automatically created for the user by the system
// Mark them as (maybe) needing to reset their password as a
secondary auth step.
- $this->setPasswordResetFlag( $username, Status::newGood() );
+ if ( $this->config->get( 'MediaWikiAuthAllowPasswordChange' ) )
{
+ $this->setPasswordResetFlag( $username,
Status::newGood() );
+ }
return AuthenticationResponse::newPass( $username );
}
@@ -190,6 +192,15 @@
// groupmemberships contains groups and expiries, but is only
present in recent versions of MW. Fall back to groups if it doesn't exist.
$validGroups = array_diff( array_keys( $this->config->get(
'GroupPermissions' ) ), $this->config->get( 'ImplicitGroups' ) );
+ $importableGroups = $this->config->get(
'MediaWikiAuthImportGroups' );
+ if ( $importableGroups === false ) {
+ // do not import any groups
+ $validGroups = [];
+ } elseif ( is_array( $importableGroups ) ) {
+ // array_intersect has a mind-bogglingly stupid
implementation,
+ // in the sense that if the first array has dups, those
dups are returned even if subsequent arrays don't have that element at all
+ $validGroups = array_intersect( array_unique(
$validGroups ), $importableGroups );
+ }
if ( isset( $userInfo->query->userinfo->groupmemberships ) ) {
foreach ( $userInfo->query->userinfo->groupmemberships
as $group ) {
@@ -256,6 +267,13 @@
}
public function testUserExists( $username, $flags = User::READ_NORMAL )
{
+ // sadly we have no other way of getting at the context here
+ $user = \RequestContext::getMain()->getUser();
+ if ( $user->isAllowed( 'mwa-createlocalaccount' ) ) {
+ // bypass remote wiki checks; user can create local
accounts
+ return false;
+ }
+
if ( !isset( $this->userCache[$username] ) ) {
$resp = $this->apiRequest( 'GET', [
'action' => 'query',
@@ -351,7 +369,7 @@
public function accountCreationType() {
// while this creates accounts, it does not do so via the
Special:CreateAccount UI
- return TYPE_NONE;
+ return self::TYPE_NONE;
}
protected function getPasswordResetData( $username, $data ) {
diff --git a/extension.json b/extension.json
index c576116..73591cc 100644
--- a/extension.json
+++ b/extension.json
@@ -1,6 +1,6 @@
{
"name": "MediaWikiAuth",
- "version": "0.9.0",
+ "version": "0.10.0",
"author": [
"Laurence Parry",
"Jack Phoenix",
@@ -12,7 +12,9 @@
"license-name": "GPL-2.0+",
"type": "other",
"config": {
- "MediaWikiAuthApiUrl": ""
+ "MediaWikiAuthAllowPasswordChange": false,
+ "MediaWikiAuthApiUrl": "",
+ "MediaWikiAuthImportGroups": true
},
"MessagesDirs": {
"MediaWikiAuth": [
@@ -23,6 +25,9 @@
"MediaWikiAuth\\ExternalWikiPrimaryAuthenticationProvider":
"ExternalWikiPrimaryAuthenticationProvider.php",
"MediaWikiAuth\\PopulateImportedWatchlistJob":
"PopulateImportedWatchlistJob.php"
},
+ "AvailableRights": [
+ "mwa-createlocalaccount"
+ ],
"JobClasses": {
"populateImportedWatchlist":
"MediaWikiAuth\\PopulateImportedWatchlistJob"
},
diff --git a/i18n/en.json b/i18n/en.json
index 930b5c7..e6361ba 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -10,5 +10,6 @@
"mwa-authfail": "Unable to log into the remote wiki to import your
account. Ensure you are using the correct password.",
"mwa-finishcreate": "Your account has been successfully imported. You
may set a new password now or choose \"$1\" to keep your current password.",
"mwa-unconfiguredtitle": "Extension not configured.",
- "mwa-unconfiguredtext": "The MediaWikiAuth extension is not configured
properly. Ensure that $wgMediaWikiAuthApiUrl is set in your LocalSettings.php
to the API URL of the remote wiki."
+ "mwa-unconfiguredtext": "The MediaWikiAuth extension is not configured
properly. Ensure that $wgMediaWikiAuthApiUrl is set in your LocalSettings.php
to the API URL of the remote wiki.",
+ "right-mwa-createlocalaccount": "Create local accounts with the same
username as an unimported external account."
}
diff --git a/i18n/qqq.json b/i18n/qqq.json
index dcac54a..a649bea 100644
--- a/i18n/qqq.json
+++ b/i18n/qqq.json
@@ -5,5 +5,6 @@
"mwa-authfail": "Used as an error message to indicate the user was
unable to log into the remote wiki, perhaps because they are using the wrong
password.",
"mwa-finishcreate": "Used as a success message that an account was
imported, and is displayed above a field that lets the user change their
password. $1 is the label of the Skip button so that the user can keep the same
password.",
"mwa-unconfiguredtitle": "Used as the page title on the error page when
the extension is not configured",
- "mwa-unconfiguredtext": "Used as the page text on the error page when
the extension is not configured. $wgMediaWikiAuthApiUrl is a PHP variable name
and must be preserved as-is; do not translate or modify it."
+ "mwa-unconfiguredtext": "Used as the page text on the error page when
the extension is not configured. $wgMediaWikiAuthApiUrl is a PHP variable name
and must be preserved as-is; do not translate or modify it.",
+ "right-mwa-createlocalaccount":
"{{doc-right|mwa-createlocalaccount}}\nRight which allows the user to create a
local account even if an importable account exists remotely."
}
--
To view, visit https://gerrit.wikimedia.org/r/391992
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2e6cfe72b13c8ce5da63b3e9c0fb273b0ff33c26
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/MediaWikiAuth
Gerrit-Branch: master
Gerrit-Owner: Skizzerz <skizz...@skizzerz.net>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
