MediaWiki  1.23.2
SpecialChangePassword.php
Go to the documentation of this file.
1 <?php
29 class SpecialChangePassword extends FormSpecialPage {
30 
31  protected $mUserName, $mDomain;
32 
33  // Optional Wikitext Message to show above the password change form
34  protected $mPreTextMessage = null;
35 
36  // label for old password input
37  protected $mOldPassMsg = null;
38 
39  public function __construct() {
40  parent::__construct( 'ChangePassword', 'editmyprivateinfo' );
41  $this->listed( false );
42  }
43 
47  function execute( $par ) {
48  $this->getOutput()->disallowUserJs();
49 
50  parent::execute( $par );
51  }
52 
53  protected function checkExecutePermissions( User $user ) {
54  parent::checkExecutePermissions( $user );
55 
56  if ( !$this->getRequest()->wasPosted() ) {
57  $this->requireLogin( 'resetpass-no-info' );
58  }
59  }
60 
66  public function setChangeMessage( Message $msg ) {
67  $this->mPreTextMessage = $msg;
68  }
69 
75  public function setOldPasswordMessage( $msg ) {
76  $this->mOldPassMsg = $msg;
77  }
78 
79  protected function getFormFields() {
80  global $wgCookieExpiration;
81 
82  $user = $this->getUser();
83  $request = $this->getRequest();
84 
85  $oldpassMsg = $this->mOldPassMsg;
86  if ( !isset( $oldpassMsg ) ) {
87  $oldpassMsg = $user->isLoggedIn() ? 'oldpassword' : 'resetpass-temp-password';
88  }
89 
90  $fields = array(
91  'Name' => array(
92  'type' => 'info',
93  'label-message' => 'username',
94  'default' => $request->getVal( 'wpName', $user->getName() ),
95  ),
96  'Password' => array(
97  'type' => 'password',
98  'label-message' => $oldpassMsg,
99  ),
100  'NewPassword' => array(
101  'type' => 'password',
102  'label-message' => 'newpassword',
103  ),
104  'Retype' => array(
105  'type' => 'password',
106  'label-message' => 'retypenew',
107  ),
108  );
109 
110  if ( !$this->getUser()->isLoggedIn() ) {
111  if ( !LoginForm::getLoginToken() ) {
112  LoginForm::setLoginToken();
113  }
114  $fields['LoginOnChangeToken'] = array(
115  'type' => 'hidden',
116  'label' => 'Change Password Token',
117  'default' => LoginForm::getLoginToken(),
118  );
119  }
120 
121  $extraFields = array();
122  wfRunHooks( 'ChangePasswordForm', array( &$extraFields ) );
123  foreach ( $extraFields as $extra ) {
124  list( $name, $label, $type, $default ) = $extra;
125  $fields[$name] = array(
126  'type' => $type,
127  'name' => $name,
128  'label-message' => $label,
129  'default' => $default,
130  );
131  }
132 
133  if ( !$user->isLoggedIn() ) {
134  $fields['Remember'] = array(
135  'type' => 'check',
136  'label' => $this->msg( 'remembermypassword' )
137  ->numParams( ceil( $wgCookieExpiration / ( 3600 * 24 ) ) )
138  ->text(),
139  'default' => $request->getVal( 'wpRemember' ),
140  );
141  }
142 
143  return $fields;
144  }
145 
146  protected function alterForm( HTMLForm $form ) {
147  $form->setId( 'mw-resetpass-form' );
148  $form->setTableId( 'mw-resetpass-table' );
149  $form->setWrapperLegendMsg( 'resetpass_header' );
150  $form->setSubmitTextMsg(
151  $this->getUser()->isLoggedIn()
152  ? 'resetpass-submit-loggedin'
153  : 'resetpass_submit'
154  );
155  $form->addButton( 'wpCancel', $this->msg( 'resetpass-submit-cancel' )->text() );
156  $form->setHeaderText( $this->msg( 'resetpass_text' )->parseAsBlock() );
157  if ( $this->mPreTextMessage instanceof Message ) {
158  $form->addPreText( $this->mPreTextMessage->parseAsBlock() );
159  }
160  $form->addHiddenFields(
161  $this->getRequest()->getValues( 'wpName', 'wpDomain', 'returnto', 'returntoquery' ) );
162  }
163 
164  public function onSubmit( array $data ) {
165  global $wgAuth;
166 
167  $request = $this->getRequest();
168 
169  if ( $request->getCheck( 'wpLoginToken' ) ) {
170  // This comes from Special:Userlogin when logging in with a temporary password
171  return false;
172  }
173 
174  if ( !$this->getUser()->isLoggedIn()
175  && $request->getVal( 'wpLoginOnChangeToken' ) !== LoginForm::getLoginToken()
176  ) {
177  // Potential CSRF (bug 62497)
178  return false;
179  }
180 
181 
182  if ( $request->getCheck( 'wpCancel' ) ) {
183  $titleObj = Title::newFromText( $request->getVal( 'returnto' ) );
184  if ( !$titleObj instanceof Title ) {
185  $titleObj = Title::newMainPage();
186  }
187  $query = $request->getVal( 'returntoquery' );
188  $this->getOutput()->redirect( $titleObj->getFullURL( $query ) );
189 
190  return true;
191  }
192 
193  try {
194  $this->mUserName = $request->getVal( 'wpName', $this->getUser()->getName() );
195  $this->mDomain = $wgAuth->getDomain();
196 
197  if ( !$wgAuth->allowPasswordChange() ) {
198  throw new ErrorPageError( 'changepassword', 'resetpass_forbidden' );
199  }
200 
201  $this->attemptReset( $data['Password'], $data['NewPassword'], $data['Retype'] );
202 
203  return true;
204  } catch ( PasswordError $e ) {
205  return $e->getMessage();
206  }
207  }
208 
209  public function onSuccess() {
210  if ( $this->getUser()->isLoggedIn() ) {
211  $this->getOutput()->wrapWikiMsg(
212  "<div class=\"successbox\">\n$1\n</div>",
213  'changepassword-success'
214  );
215  $this->getOutput()->returnToMain();
216  } else {
217  $request = $this->getRequest();
218  LoginForm::setLoginToken();
219  $token = LoginForm::getLoginToken();
220  $data = array(
221  'action' => 'submitlogin',
222  'wpName' => $this->mUserName,
223  'wpDomain' => $this->mDomain,
224  'wpLoginToken' => $token,
225  'wpPassword' => $request->getVal( 'wpNewPassword' ),
226  ) + $request->getValues( 'wpRemember', 'returnto', 'returntoquery' );
227  $login = new LoginForm( new DerivativeRequest( $request, $data, true ) );
228  $login->setContext( $this->getContext() );
229  $login->execute( null );
230  }
231  }
232 
236  protected function attemptReset( $oldpass, $newpass, $retype ) {
237  global $wgPasswordAttemptThrottle;
238 
239  $isSelf = ( $this->mUserName === $this->getUser()->getName() );
240  if ( $isSelf ) {
241  $user = $this->getUser();
242  } else {
243  $user = User::newFromName( $this->mUserName );
244  }
245 
246  if ( !$user || $user->isAnon() ) {
247  throw new PasswordError( $this->msg( 'nosuchusershort', $this->mUserName )->text() );
248  }
249 
250  if ( $newpass !== $retype ) {
251  wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'badretype' ) );
252  throw new PasswordError( $this->msg( 'badretype' )->text() );
253  }
254 
255  $throttleCount = LoginForm::incLoginThrottle( $this->mUserName );
256  if ( $throttleCount === true ) {
257  $lang = $this->getLanguage();
258  throw new PasswordError( $this->msg( 'changepassword-throttled' )
259  ->params( $lang->formatDuration( $wgPasswordAttemptThrottle['seconds'] ) )
260  ->text()
261  );
262  }
263 
264  // @TODO Make these separate messages, since the message is written for both cases
265  if ( !$user->checkTemporaryPassword( $oldpass ) && !$user->checkPassword( $oldpass ) ) {
266  wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'wrongpassword' ) );
267  throw new PasswordError( $this->msg( 'resetpass-wrong-oldpass' )->text() );
268  }
269 
270  // User is resetting their password to their old password
271  if ( $oldpass === $newpass ) {
272  throw new PasswordError( $this->msg( 'resetpass-recycled' )->text() );
273  }
274 
275  // Do AbortChangePassword after checking mOldpass, so we don't leak information
276  // by possibly aborting a new password before verifying the old password.
277  $abortMsg = 'resetpass-abort-generic';
278  if ( !wfRunHooks( 'AbortChangePassword', array( $user, $oldpass, $newpass, &$abortMsg ) ) ) {
279  wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'abortreset' ) );
280  throw new PasswordError( $this->msg( $abortMsg )->text() );
281  }
282 
283  // Please reset throttle for successful logins, thanks!
284  if ( $throttleCount ) {
285  LoginForm::clearLoginThrottle( $this->mUserName );
286  }
287 
288  try {
289  $user->setPassword( $newpass );
290  wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'success' ) );
291  } catch ( PasswordError $e ) {
292  wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'error' ) );
293  throw new PasswordError( $e->getMessage() );
294  }
295 
296  if ( $isSelf ) {
297  // This is needed to keep the user connected since
298  // changing the password also modifies the user's token.
299  $user->setCookies();
300  }
301  $user->resetPasswordExpiration();
302  $user->saveSettings();
303  }
304 
305  public function requiresUnblock() {
306  return false;
307  }
308 
309  protected function getGroupName() {
310  return 'users';
311  }
312 }
SpecialChangePassword\__construct
__construct()
Definition: SpecialChangePassword.php:39
DerivativeRequest
Similar to FauxRequest, but only fakes URL parameters and method (POST or GET) and use the base reque...
Definition: WebRequest.php:1455
Title\newFromText
static newFromText( $text, $defaultNamespace=NS_MAIN)
Create a new Title from text, such as what one would find in a link.
Definition: Title.php:189
php
skin txt MediaWiki includes four core it has been set as the default in MediaWiki since the replacing Monobook it had been been the default skin since before being replaced by Vector largely rewritten in while keeping its appearance Several legacy skins were removed in the as the burden of supporting them became too heavy to bear Those in etc for skin dependent CSS etc for skin dependent JavaScript These can also be customised on a per user by etc This feature has led to a wide variety of user styles becoming that gallery is a good place to ending in php
Definition: skin.txt:62
SpecialChangePassword\getGroupName
getGroupName()
Under which header this special page is listed in Special:SpecialPages See messages 'specialpages-gro...
Definition: SpecialChangePassword.php:309
SpecialPage\getOutput
getOutput()
Get the OutputPage being used for this instance.
Definition: SpecialPage.php:535
SpecialChangePassword\$mPreTextMessage
$mPreTextMessage
Definition: SpecialChangePassword.php:34
SpecialChangePassword\$mDomain
$mDomain
Definition: SpecialChangePassword.php:31
text
design txt This is a brief overview of the new design More thorough and up to date information is available on the documentation wiki at etc Handles the details of getting and saving to the user table of the and dealing with sessions and cookies OutputPage Encapsulates the entire HTML page that will be sent in response to any server request It is used by calling its functions to add text
Definition: design.txt:12
SpecialChangePassword\execute
execute( $par)
Main execution point.
Definition: SpecialChangePassword.php:47
Title\newMainPage
static newMainPage()
Create a new Title for the Main Page.
Definition: Title.php:441
$form
usually copyright or history_copyright This message must be in HTML not wikitext $subpages will be ignored and the rest of subPageSubtitle() will run. 'SkinTemplateBuildNavUrlsNav_urlsAfterPermalink' whether MediaWiki currently thinks this is a CSS JS page Hooks may change this value to override the return value of Title::isCssOrJsPage(). 'TitleIsAlwaysKnown' whether MediaWiki currently thinks this page is known isMovable() always returns false. $title whether MediaWiki currently thinks this page is movable Hooks may change this value to override the return value of Title::isMovable(). 'TitleIsWikitextPage' whether MediaWiki currently thinks this is a wikitext page Hooks may change this value to override the return value of Title::isWikitextPage() 'TitleMove' use UploadVerification and UploadVerifyFile instead $form
Definition: hooks.txt:2573
HTMLForm\setHeaderText
setHeaderText( $msg, $section=null)
Set header text, inside the form.
Definition: HTMLForm.php:572
SpecialChangePassword\$mUserName
$mUserName
Definition: SpecialChangePassword.php:31
LoginForm\incLoginThrottle
static incLoginThrottle( $username)
Increment the login attempt throttle hit count for the (username,current IP) tuple unless the throttl...
Definition: SpecialUserlogin.php:723
PasswordError
Thrown by User::setPassword() on error.
Definition: User.php:45
FormSpecialPage
Special page which uses an HTMLForm to handle processing.
Definition: FormSpecialPage.php:31
User\newFromName
static newFromName( $name, $validate='valid')
Static factory method for creation from username.
Definition: User.php:388
LoginForm\clearLoginThrottle
static clearLoginThrottle( $username)
Clear the login attempt throttle hit count for the (username,current IP) tuple.
Definition: SpecialUserlogin.php:751
SpecialPage\getLanguage
getLanguage()
Shortcut to get user's language.
Definition: SpecialPage.php:578
SpecialPage\getName
getName()
Get the name of this Special Page.
Definition: SpecialPage.php:139
SpecialPage\requireLogin
requireLogin( $reasonMsg=null, $titleMsg=null)
If the user is not logged in, throws UserNotLoggedIn error.
Definition: SpecialPage.php:321
LoginForm\setLoginToken
static setLoginToken()
Randomly generate a new login token and attach it to the current session.
Definition: SpecialUserlogin.php:1387
SpecialChangePassword\onSuccess
onSuccess()
Do something exciting on successful processing of the form, most likely to show a confirmation messag...
Definition: SpecialChangePassword.php:209
SpecialChangePassword\setOldPasswordMessage
setOldPasswordMessage( $msg)
Set a message at the top of the Change Password form.
Definition: SpecialChangePassword.php:75
$abortMsg
please add to it if you re going to add events to the MediaWiki code where normally authentication against an external auth plugin would be creating a account incomplete & $abortMsg
Definition: hooks.txt:237
SpecialChangePassword\$mOldPassMsg
$mOldPassMsg
Definition: SpecialChangePassword.php:37
SpecialChangePassword\checkExecutePermissions
checkExecutePermissions(User $user)
Called from execute() to check if the given user can perform this action.
Definition: SpecialChangePassword.php:53
wfRunHooks
wfRunHooks( $event, array $args=array(), $deprecatedVersion=null)
Call hook functions defined in $wgHooks.
Definition: GlobalFunctions.php:4001
SpecialChangePassword\getFormFields
getFormFields()
Get an HTMLForm descriptor array.
Definition: SpecialChangePassword.php:79
SpecialChangePassword\alterForm
alterForm(HTMLForm $form)
Play with the HTMLForm if you need to more substantially.
Definition: SpecialChangePassword.php:146
array
the array() calling protocol came about after MediaWiki 1.4rc1.
List of Api Query prop modules.
SpecialPage\getUser
getUser()
Shortcut to get the User executing this instance.
Definition: SpecialPage.php:545
global
when a variable name is used in a it is silently declared as a new masking the global
Definition: design.txt:93
LoginForm
Implements Special:UserLogin.
Definition: SpecialUserlogin.php:29
list
deferred txt A few of the database updates required by various functions here can be deferred until after the result page is displayed to the user For updating the view updating the linked to tables after a etc PHP does not yet have any way to tell the server to actually return and disconnect while still running these but it might have such a feature in the future We handle these by creating a deferred update object and putting those objects on a global list
Definition: deferred.txt:11
SpecialPage\getContext
getContext()
Gets the context this SpecialPage is executed in.
Definition: SpecialPage.php:508
execute
$batch execute()
SpecialChangePassword
Let users recover their password.
Definition: SpecialChangePassword.php:29
$name
Allows to change the fields on the form that will be generated $name
Definition: hooks.txt:336
SpecialPage\msg
msg()
Wrapper around wfMessage that sets the current context.
Definition: SpecialPage.php:609
FormSpecialPage\$par
string $par
The sub-page of the special page.
Definition: FormSpecialPage.php:35
SpecialPage\listed
listed( $x=null)
Get or set whether this special page is listed in Special:SpecialPages.
Definition: SpecialPage.php:190
SpecialPage\getRequest
getRequest()
Get the WebRequest being used for this instance.
Definition: SpecialPage.php:525
$user
please add to it if you re going to add events to the MediaWiki code where normally authentication against an external auth plugin would be creating a account $user
Definition: hooks.txt:237
SpecialChangePassword\attemptReset
attemptReset( $oldpass, $newpass, $retype)
Definition: SpecialChangePassword.php:236
Title
Represents a title within MediaWiki.
Definition: Title.php:35
SpecialChangePassword\setChangeMessage
setChangeMessage(Message $msg)
Set a message at the top of the Change Password form.
Definition: SpecialChangePassword.php:66
as
This document is intended to provide useful advice for parties seeking to redistribute MediaWiki to end users It s targeted particularly at maintainers for Linux since it s been observed that distribution packages of MediaWiki often break We ve consistently had to recommend that users seeking support use official tarballs instead of their distribution s and this often solves whatever problem the user is having It would be nice if this could such as
Definition: distributors.txt:9
SpecialChangePassword\requiresUnblock
requiresUnblock()
Whether this action cannot be executed by a blocked user.
Definition: SpecialChangePassword.php:305
LoginForm\getLoginToken
static getLoginToken()
Get the login token from the current session.
Definition: SpecialUserlogin.php:1378
$e
if( $useReadline) $e
Definition: eval.php:66
ErrorPageError
An error page which can definitely be safely rendered using the OutputPage.
Definition: ErrorPageError.php:27
$query
return true to allow those checks to and false if checking is done use this to change the tables headers temp or archived zone change it to an object instance and return false override the list derivative used the name of the old file when set the default code will be skipped add a value to it if you want to add a cookie that have to vary cache options can modify $query
Definition: hooks.txt:1105
User
The User object encapsulates all of the user-specific settings (user_id, name, rights,...
Definition: User.php:59
SpecialChangePassword\onSubmit
onSubmit(array $data)
Process the form on POST submission.
Definition: SpecialChangePassword.php:164
HTMLForm
Object handling generic submission, CSRF protection, layout and other logic for UI forms.
Definition: HTMLForm.php:100
$type
$type
Definition: testCompression.php:46