From da9696333a3f40f456c5730f06992a5fca21b5ff Mon Sep 17 00:00:00 2001 From: "This, that and the other" Date: Thu, 29 Oct 2015 23:24:40 +1100 Subject: [PATCH] Installer: Validate password against sysop/bureaucrat policies Previously, user-group-specific policies were not checked, because the user hadn't been created yet, and so wasn't assigned to any groups. In his overhaul of password policy, Chris wrote a function that was designed for exactly this purpose (UserPasswordPolicy::checkUserPasswordForGroups) but didn't put it into use. Some changes to the error handling code are needed so the error messages display correctly. Bug: T115700 Change-Id: I1391c77c9667b646b29003bb0b2abcdc21d8c4d8 --- includes/installer/WebInstaller.php | 18 +++++++++++------- includes/installer/WebInstallerPage.php | 19 ++++++++++++++----- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/includes/installer/WebInstaller.php b/includes/installer/WebInstaller.php index 9edc25a709..e8433f2a97 100644 --- a/includes/installer/WebInstaller.php +++ b/includes/installer/WebInstaller.php @@ -386,15 +386,19 @@ class WebInstaller extends Installer { } /** - * Show an error message in a box. Parameters are like wfMessage(). - * @param string $msg + * Show an error message in a box. Parameters are like wfMessage(), or + * alternatively, pass a Message object in. + * @param string|Message $msg */ public function showError( $msg /*...*/ ) { - $args = func_get_args(); - array_shift( $args ); - $args = array_map( 'htmlspecialchars', $args ); - $msg = wfMessage( $msg, $args )->useDatabase( false )->plain(); - $this->output->addHTML( $this->getErrorBox( $msg ) ); + if ( !( $msg instanceof Message ) ) { + $args = func_get_args(); + array_shift( $args ); + $args = array_map( 'htmlspecialchars', $args ); + $msg = wfMessage( $msg, $args ); + } + $text = $msg->useDatabase( false )->plain(); + $this->output->addHTML( $this->getErrorBox( $text ) ); } /** diff --git a/includes/installer/WebInstallerPage.php b/includes/installer/WebInstallerPage.php index 191c752bb1..0fcda7d087 100644 --- a/includes/installer/WebInstallerPage.php +++ b/includes/installer/WebInstallerPage.php @@ -830,6 +830,8 @@ class WebInstallerName extends WebInstallerPage { * @return bool */ public function submit() { + global $wgPasswordPolicy; + $retVal = true; $this->parent->setVarsFromRequest( array( 'wgSitename', '_NamespaceType', '_AdminName', '_AdminPassword', '_AdminPasswordConfirm', '_AdminEmail', @@ -906,14 +908,21 @@ class WebInstallerName extends WebInstallerPage { $pwd = $this->getVar( '_AdminPassword' ); $user = User::newFromName( $cname ); if ( $user ) { - $status = $user->checkPasswordValidity( $pwd, 'create' ); - $valid = $status->isGood() ? true : $status->getMessage()->escaped(); + $upp = new UserPasswordPolicy( + $wgPasswordPolicy['policies'], + $wgPasswordPolicy['checks'] + ); + $status = $upp->checkUserPasswordForGroups( + $user, + $pwd, + array( 'bureaucrat', 'sysop' ) // per Installer::createSysop() + ); + $valid = $status->isGood() ? true : $status->getMessage(); } else { $valid = 'config-admin-name-invalid'; } if ( strval( $pwd ) === '' ) { - # $user->getPasswordValidity just checks for $wgMinimalPasswordLength. - # This message is more specific and helpful. + // Provide a more specific and helpful message if password field is left blank $msg = 'config-admin-password-blank'; } elseif ( $pwd !== $this->getVar( '_AdminPasswordConfirm' ) ) { $msg = 'config-admin-password-mismatch'; @@ -921,7 +930,7 @@ class WebInstallerName extends WebInstallerPage { $msg = $valid; } if ( $msg !== false ) { - call_user_func_array( array( $this->parent, 'showError' ), (array)$msg ); + call_user_func( array( $this->parent, 'showError' ), $msg ); $this->setVar( '_AdminPassword', '' ); $this->setVar( '_AdminPasswordConfirm', '' ); $retVal = false; -- 2.20.1