Reject authentication data change when there are warnings

AuthManager uses a status which is OK but not good for authentication
data which is discouraged but still accepted for authentication.
Users should not be allowed to change credentials into such invalid state.
This change brings the web logic and the AuthPlugin fallback in sync with
the API which already used the stricter check.

Change-Id: I4ff54fcc901f6fe11f15ed60fc1a3d8753de9f6c

diff --git a/includes/Preferences.php b/includes/Preferences.php
index 9a55ae3..3083a8d 100644 (file)
--- a/includes/Preferences.php
+++ b/includes/Preferences.php
@@ -296,7 +296,7 @@ class Preferences {
 
                $allowPasswordChange = $wgDisableAuthManager ? $wgAuth->allowPasswordChange()
                        : AuthManager::singleton()->allowsAuthenticationDataChange(
-                               new PasswordAuthenticationRequest(), false );
+                               new PasswordAuthenticationRequest(), false )->isGood();
                if ( $canEditPrivateInfo && $allowPasswordChange ) {
                        $link = Linker::link( SpecialPage::getTitleFor( 'ChangePassword' ),
                                $context->msg( 'prefs-resetpass' )->escaped(), [],

diff --git a/includes/auth/AuthManagerAuthPlugin.php b/includes/auth/AuthManagerAuthPlugin.php
index bf1e021..8d85b44 100644 (file)
--- a/includes/auth/AuthManagerAuthPlugin.php
+++ b/includes/auth/AuthManagerAuthPlugin.php
@@ -131,7 +131,7 @@ class AuthManagerAuthPlugin extends \AuthPlugin {
                $reqs = AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data );
                foreach ( $reqs as $req ) {
                        $status = AuthManager::singleton()->allowsAuthenticationDataChange( $req );
-                       if ( !$status->isOk() ) {
+                       if ( !$status->isGood() ) {
                                $this->logger->info( __METHOD__ . ': Password change rejected: {reason}', [
                                        'username' => $data['username'],
                                        'reason' => $status->getWikiText( null, null, 'en' ),

diff --git a/includes/specialpage/AuthManagerSpecialPage.php b/includes/specialpage/AuthManagerSpecialPage.php
index 7866c12..41380f0 100644 (file)
--- a/includes/specialpage/AuthManagerSpecialPage.php
+++ b/includes/specialpage/AuthManagerSpecialPage.php
@@ -375,7 +375,7 @@ abstract class AuthManagerSpecialPage extends SpecialPage {
                                $req = reset( $requests );
                                $status = $authManager->allowsAuthenticationDataChange( $req );
                                Hooks::run( 'ChangeAuthenticationDataAudit', [ $req, $status ] );
-                               if ( !$status->isOK() ) {
+                               if ( !$status->isGood() ) {
                                        return AuthenticationResponse::newFail( $status->getMessage() );
                                }
                                $authManager->changeAuthenticationData( $req );

diff --git a/includes/user/User.php b/includes/user/User.php
index 9e50f36..8ecf468 100644 (file)
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -2569,7 +2569,7 @@ class User implements IDBAccessObject {
                        $reqs = AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data );
                        foreach ( $reqs as $req ) {
                                $status = $manager->allowsAuthenticationDataChange( $req );
-                               if ( !$status->isOk() ) {
+                               if ( !$status->isGood() ) {
                                        \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )
                                                ->info( __METHOD__ . ': Password change rejected: ' . $status->getWikiText() );
                                        return false;