Installer: Validate password against sysop/bureaucrat policies

Previously, user-group-specific policies were not checked, because the
user hadn't been created yet, and so wasn't assigned to any groups. In his
overhaul of password policy, Chris wrote a function that was designed for
exactly this purpose (UserPasswordPolicy::checkUserPasswordForGroups) but
didn't put it into use.

Some changes to the error handling code are needed so the error messages
display correctly.

Bug: T115700
Change-Id: I1391c77c9667b646b29003bb0b2abcdc21d8c4d8

diff --git a/includes/installer/WebInstaller.php b/includes/installer/WebInstaller.php
index 9edc25a..e8433f2 100644 (file)
--- a/includes/installer/WebInstaller.php
+++ b/includes/installer/WebInstaller.php
@@ -386,15 +386,19 @@ class WebInstaller extends Installer {
        }
 
        /**
-        * Show an error message in a box. Parameters are like wfMessage().
-        * @param string $msg
+        * Show an error message in a box. Parameters are like wfMessage(), or
+        * alternatively, pass a Message object in.
+        * @param string|Message $msg
         */
        public function showError( $msg /*...*/ ) {
-               $args = func_get_args();
-               array_shift( $args );
-               $args = array_map( 'htmlspecialchars', $args );
-               $msg = wfMessage( $msg, $args )->useDatabase( false )->plain();
-               $this->output->addHTML( $this->getErrorBox( $msg ) );
+               if ( !( $msg instanceof Message ) ) {
+                       $args = func_get_args();
+                       array_shift( $args );
+                       $args = array_map( 'htmlspecialchars', $args );
+                       $msg = wfMessage( $msg, $args );
+               }
+               $text = $msg->useDatabase( false )->plain();
+               $this->output->addHTML( $this->getErrorBox( $text ) );
        }
 
        /**

diff --git a/includes/installer/WebInstallerPage.php b/includes/installer/WebInstallerPage.php
index 191c752..0fcda7d 100644 (file)
--- a/includes/installer/WebInstallerPage.php
+++ b/includes/installer/WebInstallerPage.php
@@ -830,6 +830,8 @@ class WebInstallerName extends WebInstallerPage {
         * @return bool
         */
        public function submit() {
+               global $wgPasswordPolicy;
+
                $retVal = true;
                $this->parent->setVarsFromRequest( array( 'wgSitename', '_NamespaceType',
                        '_AdminName', '_AdminPassword', '_AdminPasswordConfirm', '_AdminEmail',
@@ -906,14 +908,21 @@ class WebInstallerName extends WebInstallerPage {
                $pwd = $this->getVar( '_AdminPassword' );
                $user = User::newFromName( $cname );
                if ( $user ) {
-                       $status = $user->checkPasswordValidity( $pwd, 'create' );
-                       $valid = $status->isGood() ? true : $status->getMessage()->escaped();
+                       $upp = new UserPasswordPolicy(
+                               $wgPasswordPolicy['policies'],
+                               $wgPasswordPolicy['checks']
+                       );
+                       $status = $upp->checkUserPasswordForGroups(
+                               $user,
+                               $pwd,
+                               array( 'bureaucrat', 'sysop' )  // per Installer::createSysop()
+                       );
+                       $valid = $status->isGood() ? true : $status->getMessage();
                } else {
                        $valid = 'config-admin-name-invalid';
                }
                if ( strval( $pwd ) === '' ) {
-                       # $user->getPasswordValidity just checks for $wgMinimalPasswordLength.
-                       # This message is more specific and helpful.
+                       // Provide a more specific and helpful message if password field is left blank
                        $msg = 'config-admin-password-blank';
                } elseif ( $pwd !== $this->getVar( '_AdminPasswordConfirm' ) ) {
                        $msg = 'config-admin-password-mismatch';
@@ -921,7 +930,7 @@ class WebInstallerName extends WebInstallerPage {
                        $msg = $valid;
                }
                if ( $msg !== false ) {
-                       call_user_func_array( array( $this->parent, 'showError' ), (array)$msg );
+                       call_user_func( array( $this->parent, 'showError' ), $msg );
                        $this->setVar( '_AdminPassword', '' );
                        $this->setVar( '_AdminPasswordConfirm', '' );
                        $retVal = false;