From 9d7af803a1b5545ae6b69cc9da13f98e9525f1b6 Mon Sep 17 00:00:00 2001 From: csteipp Date: Fri, 7 Mar 2014 17:14:24 -0800 Subject: [PATCH] Allow login with passwords not meeting complexity requirements As part of https://www.mediawiki.org/wiki/Requests_for_comment/Passwords This patch: * Allows users to login with a password that does not meet the requirements of User::isValidPassword(), including the minimum password length. * Adds a configuration flag that specifies if users should be sent to the change password form when they login with a password that doesn't meet the requirements of User::isValidPassword(). To test the UX as it will be on WMF wikis, set $wgMinimalPasswordLength=6 in your LocalSettings.php. Change-Id: Ib7b72005fea1c69073c0a33a68c0a0df0d6528d2 --- includes/DefaultSettings.php | 7 +++++++ includes/User.php | 7 +------ includes/specials/SpecialUserlogin.php | 10 +++++++++- languages/messages/MessagesEn.php | 3 +++ languages/messages/MessagesQqq.php | 4 ++++ maintenance/language/messages.inc | 1 + 6 files changed, 25 insertions(+), 7 deletions(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 50db6c7212..c6ebb35ad2 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3977,6 +3977,13 @@ $wgPasswordSalt = true; */ $wgMinimalPasswordLength = 1; +/** + * Specifies if users should be sent to a password-reset form on login, if their + * password doesn't meet the requirements of User::isValidPassword(). + * @since 1.23 + */ +$wgInvalidPasswordReset = true; + /** * Whether to allow password resets ("enter some identifying data, and we'll send an email * with a temporary password you can use to get back into the account") identified by diff --git a/includes/User.php b/includes/User.php index 9b47acf9a5..a897d215a9 100644 --- a/includes/User.php +++ b/includes/User.php @@ -3722,14 +3722,9 @@ class User { global $wgAuth, $wgLegacyEncoding; $this->load(); - // Even though we stop people from creating passwords that - // are shorter than this, doesn't mean people wont be able - // to. Certain authentication plugins do NOT want to save + // Certain authentication plugins do NOT want to save // domain passwords in a mysql database, so we should // check this (in case $wgAuth->strict() is false). - if ( !$this->isValidPassword( $password ) ) { - return false; - } if ( $wgAuth->authenticate( $this->getName(), $password ) ) { return true; diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php index 69013b046a..1c9fed7260 100644 --- a/includes/specials/SpecialUserlogin.php +++ b/includes/specials/SpecialUserlogin.php @@ -767,7 +767,8 @@ class LoginForm extends SpecialPage { } function processLogin() { - global $wgMemc, $wgLang, $wgSecureLogin, $wgPasswordAttemptThrottle; + global $wgMemc, $wgLang, $wgSecureLogin, $wgPasswordAttemptThrottle, + $wgInvalidPasswordReset; switch ( $this->authenticateUserData() ) { case self::SUCCESS: @@ -808,6 +809,13 @@ class LoginForm extends SpecialPage { $this->renewSessionId(); if ( $this->getUser()->getPasswordExpired() == 'soft' ) { $this->resetLoginForm( $this->msg( 'resetpass-expired-soft' ) ); + } elseif ( $wgInvalidPasswordReset + && !$user->isValidPassword( $this->mPassword ) + ) { + $status = $user->checkPasswordValidity( $this->mPassword ); + $this->resetLoginForm( + $status->getMessage( 'resetpass-validity-soft' ) + ); } else { $this->successfulLogin(); } diff --git a/languages/messages/MessagesEn.php b/languages/messages/MessagesEn.php index f1725a3a6d..d37d7b06af 100644 --- a/languages/messages/MessagesEn.php +++ b/languages/messages/MessagesEn.php @@ -1289,6 +1289,9 @@ To finish logging in, you must set a new password here:', 'resetpass-abort-generic' => 'Password change has been aborted by an extension.', 'resetpass-expired' => 'Your password has expired. Please set a new password to log in.', 'resetpass-expired-soft' => 'Your password has expired and needs to be reset. Please choose a new password now, or click "{{int:resetpass-submit-cancel}}" to reset it later.', +'resetpass-validity-soft' => 'Your password is not valid: $1 + +Please choose a new password now, or click "{{int:resetpass-submit-cancel}}" to reset it later.', # Special:PasswordReset 'passwordreset' => 'Reset password', diff --git a/languages/messages/MessagesQqq.php b/languages/messages/MessagesQqq.php index a5e12d06f0..938f369a64 100644 --- a/languages/messages/MessagesQqq.php +++ b/languages/messages/MessagesQqq.php @@ -1647,6 +1647,10 @@ Parameters: 'resetpass-abort-generic' => 'Generic error message shown on [[Special:ChangePassword]] when an extension aborts a password change from a hook.', 'resetpass-expired' => "Generic error message shown on [[Special:ChangePassword]] when a user's password is expired", 'resetpass-expired-soft' => 'Generic warning message shown on [[Special:ChangePassword]] when a user needs to reset their password, but they are not prevented from logging in at this time', +'resetpass-validity-soft' => 'Warning message shown on [[Special:ChangePassword]] when a user needs to reset their password, because their password is not valid. + +Parameters: +* $1 - error message', # Special:PasswordReset 'passwordreset' => 'Title of [[Special:PasswordReset]]. diff --git a/maintenance/language/messages.inc b/maintenance/language/messages.inc index d4fdfeebb2..e315357f4e 100644 --- a/maintenance/language/messages.inc +++ b/maintenance/language/messages.inc @@ -592,6 +592,7 @@ $wgMessageStructure = array( 'resetpass-abort-generic', 'resetpass-expired', 'resetpass-expired-soft', + 'resetpass-validity-soft', ), 'passwordreset' => array( 'passwordreset', -- 2.20.1