Code Coverage
 
Lines
Functions and Methods
Classes and Traits
Total
0.00% covered (danger)
0.00%
0 / 148
0.00% covered (danger)
0.00%
0 / 17
 CRAP
0.00% covered (danger)
0.00%
0 / 1
SpecialChangeCredentials
0.00% covered (danger)
0.00%
0 / 147
0.00% covered (danger)
0.00%
0 / 17
 1892
0.00% covered (danger)
0.00%
0 / 1
 __construct
0.00% covered (danger)
0.00%
0 / 2
0.00% covered (danger)
0.00%
0 / 1
 2
 getGroupName
0.00% covered (danger)
0.00%
0 / 1
0.00% covered (danger)
0.00%
0 / 1
 2
 isListed
0.00% covered (danger)
0.00%
0 / 2
0.00% covered (danger)
0.00%
0 / 1
 2
 doesWrites
0.00% covered (danger)
0.00%
0 / 1
0.00% covered (danger)
0.00%
0 / 1
 2
 getDefaultAction
0.00% covered (danger)
0.00%
0 / 1
0.00% covered (danger)
0.00%
0 / 1
 2
 getPreservedParams
0.00% covered (danger)
0.00%
0 / 7
0.00% covered (danger)
0.00%
0 / 1
 2
 execute
0.00% covered (danger)
0.00%
0 / 23
0.00% covered (danger)
0.00%
0 / 1
 72
 loadAuth
0.00% covered (danger)
0.00%
0 / 9
0.00% covered (danger)
0.00%
0 / 1
 30
 onAuthChangeFormFields
0.00% covered (danger)
0.00%
0 / 24
0.00% covered (danger)
0.00%
0 / 1
 6
 getAuthFormDescriptor
0.00% covered (danger)
0.00%
0 / 14
0.00% covered (danger)
0.00%
0 / 1
 56
 getAuthForm
0.00% covered (danger)
0.00%
0 / 15
0.00% covered (danger)
0.00%
0 / 1
 6
 needsSubmitButton
0.00% covered (danger)
0.00%
0 / 1
0.00% covered (danger)
0.00%
0 / 1
 2
 handleFormSubmit
0.00% covered (danger)
0.00%
0 / 5
0.00% covered (danger)
0.00%
0 / 1
 6
 showSubpageList
0.00% covered (danger)
0.00%
0 / 20
0.00% covered (danger)
0.00%
0 / 1
 30
 success
0.00% covered (danger)
0.00%
0 / 15
0.00% covered (danger)
0.00%
0 / 1
 6
 getReturnUrl
0.00% covered (danger)
0.00%
0 / 6
0.00% covered (danger)
0.00%
0 / 1
 6
 getRequestBlacklist
0.00% covered (danger)
0.00%
0 / 1
0.00% covered (danger)
0.00%
0 / 1
 2
1<?php
2
3namespace MediaWiki\Specials;
4
5use LogicException;
6use MediaWiki\Auth\AuthenticationRequest;
7use MediaWiki\Auth\AuthenticationResponse;
8use MediaWiki\Auth\AuthManager;
9use MediaWiki\Auth\PasswordAuthenticationRequest;
10use MediaWiki\Html\Html;
11use MediaWiki\MainConfigNames;
12use MediaWiki\Message\Message;
13use MediaWiki\Session\SessionManager;
14use MediaWiki\SpecialPage\AuthManagerSpecialPage;
15use MediaWiki\Status\Status;
16use MediaWiki\Title\Title;
17
18/**
19 * Special change to change credentials (such as the password).
20 *
21 * Also does most of the work for SpecialRemoveCredentials.
22 */
23class SpecialChangeCredentials extends AuthManagerSpecialPage {
24    protected static $allowedActions = [ AuthManager::ACTION_CHANGE ];
25
26    protected static $messagePrefix = 'changecredentials';
27
28    /** Change action needs user data; remove action does not */
29    protected static $loadUserData = true;
30
31    /**
32     * @param AuthManager $authManager
33     */
34    public function __construct( AuthManager $authManager ) {
35        parent::__construct( 'ChangeCredentials', 'editmyprivateinfo' );
36        $this->setAuthManager( $authManager );
37    }
38
39    protected function getGroupName() {
40        return 'login';
41    }
42
43    public function isListed() {
44        $this->loadAuth( '' );
45        return (bool)$this->authRequests;
46    }
47
48    public function doesWrites() {
49        return true;
50    }
51
52    protected function getDefaultAction( $subPage ) {
53        return AuthManager::ACTION_CHANGE;
54    }
55
56    protected function getPreservedParams( $withToken = false ) {
57        $request = $this->getRequest();
58        $params = parent::getPreservedParams( $withToken );
59        $params += [
60            'returnto' => $request->getVal( 'returnto' ),
61            'returntoquery' => $request->getVal( 'returntoquery' ),
62        ];
63        return $params;
64    }
65
66    public function execute( $subPage ) {
67        $this->setHeaders();
68        $this->outputHeader();
69
70        $this->loadAuth( $subPage );
71
72        if ( !$subPage ) {
73            $this->showSubpageList();
74            return;
75        }
76
77        if ( !$this->authRequests ) {
78            // messages used: changecredentials-invalidsubpage, removecredentials-invalidsubpage
79            $this->showSubpageList( $this->msg( static::$messagePrefix . '-invalidsubpage', $subPage ) );
80            return;
81        }
82
83        $out = $this->getOutput();
84        $out->addModules( 'mediawiki.special.changecredentials' );
85        $out->addBacklinkSubtitle( $this->getPageTitle() );
86        $status = $this->trySubmit();
87
88        if ( $status === false || !$status->isOK() ) {
89            $this->displayForm( $status );
90            return;
91        }
92
93        $response = $status->getValue();
94
95        switch ( $response->status ) {
96            case AuthenticationResponse::PASS:
97                $this->success();
98                break;
99            case AuthenticationResponse::FAIL:
100                $this->displayForm( Status::newFatal( $response->message ) );
101                break;
102            default:
103                throw new LogicException( 'invalid AuthenticationResponse' );
104        }
105    }
106
107    protected function loadAuth( $subPage, $authAction = null, $reset = false ) {
108        parent::loadAuth( $subPage, $authAction );
109        if ( $subPage ) {
110            $foundReqs = [];
111            foreach ( $this->authRequests as $req ) {
112                if ( $req->getUniqueId() === $subPage ) {
113                    $foundReqs[] = $req;
114                }
115            }
116            if ( count( $foundReqs ) > 1 ) {
117                throw new LogicException( 'Multiple AuthenticationRequest objects with same ID!' );
118            }
119            $this->authRequests = $foundReqs;
120        }
121    }
122
123    /** @inheritDoc */
124    public function onAuthChangeFormFields(
125        array $requests, array $fieldInfo, array &$formDescriptor, $action
126    ) {
127        parent::onAuthChangeFormFields( $requests, $fieldInfo, $formDescriptor, $action );
128
129        // Add some UI flair for password changes, the most common use case for this page.
130        if ( AuthenticationRequest::getRequestByClass( $this->authRequests,
131            PasswordAuthenticationRequest::class )
132        ) {
133            $formDescriptor = self::mergeDefaultFormDescriptor( $fieldInfo, $formDescriptor, [
134                'password' => [
135                    'autocomplete' => 'new-password',
136                    'placeholder-message' => 'createacct-yourpassword-ph',
137                    'help-message' => 'createacct-useuniquepass',
138                ],
139                'retype' => [
140                    'autocomplete' => 'new-password',
141                    'placeholder-message' => 'createacct-yourpasswordagain-ph',
142                ],
143                // T263927 - the Chromium password form guide recommends always having a username field
144                'username' => [
145                    'type' => 'text',
146                    'baseField' => 'password',
147                    'autocomplete' => 'username',
148                    'nodata' => true,
149                    'readonly' => true,
150                    'cssclass' => 'mw-htmlform-hidden-field',
151                    'label-message' => 'userlogin-yourname',
152                    'placeholder-message' => 'userlogin-yourname-ph',
153                ],
154            ] );
155        }
156    }
157
158    protected function getAuthFormDescriptor( $requests, $action ) {
159        if ( !static::$loadUserData ) {
160            return [];
161        }
162
163        $descriptor = parent::getAuthFormDescriptor( $requests, $action );
164
165        $any = false;
166        foreach ( $descriptor as &$field ) {
167            if ( $field['type'] === 'password' && $field['name'] !== 'retype' ) {
168                $any = true;
169                if ( isset( $field['cssclass'] ) ) {
170                    $field['cssclass'] .= ' mw-changecredentials-validate-password';
171                } else {
172                    $field['cssclass'] = 'mw-changecredentials-validate-password';
173                }
174            }
175        }
176        unset( $field );
177
178        if ( $any ) {
179            $this->getOutput()->addModules( 'mediawiki.misc-authed-ooui' );
180        }
181
182        return $descriptor;
183    }
184
185    protected function getAuthForm( array $requests, $action ) {
186        $form = parent::getAuthForm( $requests, $action );
187        $req = reset( $requests );
188        $info = $req->describeCredentials();
189
190        $form->addPreHtml(
191            Html::openElement( 'dl' )
192            . Html::element( 'dt', [], $this->msg( 'credentialsform-provider' )->text() )
193            . Html::element( 'dd', [], $info['provider']->text() )
194            . Html::element( 'dt', [], $this->msg( 'credentialsform-account' )->text() )
195            . Html::element( 'dd', [], $info['account']->text() )
196            . Html::closeElement( 'dl' )
197        );
198
199        // messages used: changecredentials-submit removecredentials-submit
200        $form->setSubmitTextMsg( static::$messagePrefix . '-submit' );
201        $form->showCancel()->setCancelTarget( $this->getReturnUrl() ?: Title::newMainPage() );
202        $form->setSubmitID( 'change_credentials_submit' );
203        return $form;
204    }
205
206    protected function needsSubmitButton( array $requests ) {
207        // Change/remove forms show are built from a single AuthenticationRequest and do not allow
208        // for redirect flow; they always need a submit button.
209        return true;
210    }
211
212    public function handleFormSubmit( $data ) {
213        // remove requests do not accept user input
214        $requests = $this->authRequests;
215        if ( static::$loadUserData ) {
216            $requests = AuthenticationRequest::loadRequestsFromSubmission( $this->authRequests, $data );
217        }
218
219        $response = $this->performAuthenticationStep( $this->authAction, $requests );
220
221        // we can't handle FAIL or similar as failure here since it might require changing the form
222        return Status::newGood( $response );
223    }
224
225    /**
226     * @param Message|null $error
227     */
228    protected function showSubpageList( $error = null ) {
229        $out = $this->getOutput();
230
231        if ( $error ) {
232            $out->addHTML( $error->parse() );
233        }
234
235        $groupedRequests = [];
236        foreach ( $this->authRequests as $req ) {
237            $info = $req->describeCredentials();
238            $groupedRequests[$info['provider']->text()][] = $req;
239        }
240
241        $linkRenderer = $this->getLinkRenderer();
242        $out->addHTML( Html::openElement( 'dl' ) );
243        foreach ( $groupedRequests as $group => $members ) {
244            $out->addHTML( Html::element( 'dt', [], $group ) );
245            foreach ( $members as $req ) {
246                /** @var AuthenticationRequest $req */
247                $info = $req->describeCredentials();
248                $out->addHTML( Html::rawElement( 'dd', [],
249                    $linkRenderer->makeLink(
250                        $this->getPageTitle( $req->getUniqueId() ),
251                        $info['account']->text()
252                    )
253                ) );
254            }
255        }
256        $out->addHTML( Html::closeElement( 'dl' ) );
257    }
258
259    protected function success() {
260        $session = $this->getRequest()->getSession();
261        $user = $this->getUser();
262        $out = $this->getOutput();
263        $returnUrl = $this->getReturnUrl();
264
265        // change user token and update the session
266        SessionManager::singleton()->invalidateSessionsForUser( $user );
267        $session->setUser( $user );
268        $session->resetId();
269
270        if ( $returnUrl ) {
271            $out->redirect( $returnUrl );
272        } else {
273            // messages used: changecredentials-success removecredentials-success
274            $out->addHTML(
275                Html::successBox(
276                    $out->msg( static::$messagePrefix . '-success' )->parse()
277                )
278            );
279            $out->returnToMain();
280        }
281    }
282
283    /**
284     * @return string|null
285     */
286    protected function getReturnUrl() {
287        $request = $this->getRequest();
288        $returnTo = $request->getText( 'returnto' );
289        $returnToQuery = $request->getText( 'returntoquery', '' );
290
291        if ( !$returnTo ) {
292            return null;
293        }
294
295        return Title::newFromText( $returnTo )->getFullUrlForRedirect( $returnToQuery );
296    }
297
298    protected function getRequestBlacklist() {
299        return $this->getConfig()->get( MainConfigNames::ChangeCredentialsBlacklist );
300    }
301}
302
303/** @deprecated class alias since 1.41 */
304class_alias( SpecialChangeCredentials::class, 'SpecialChangeCredentials' );