includes/specials/SpecialPasswordReset.php

   1 <?php
   2 /**
   3  * Implements Special:PasswordReset
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  * @ingroup SpecialPage
  22  */
  23
  24 use MediaWiki\Auth\AuthManager;
  25
  26 /**
  27  * Special page for requesting a password reset email.
  28  *
  29  * Requires the TemporaryPasswordPrimaryAuthenticationProvider and the
  30  * EmailNotificationSecondaryAuthenticationProvider (or something providing equivalent
  31  * functionality) to be enabled.
  32  *
  33  * @ingroup SpecialPage
  34  */
  35 class SpecialPasswordReset extends FormSpecialPage {
  36         /** @var PasswordReset */
  37         private $passwordReset;
  38
  39         /**
  40          * @var string[] Temporary storage for the passwords which have been sent out, keyed by username.
  41          */
  42         private $passwords = [];
  43
  44         /**
  45          * @var Status
  46          */
  47         private $result;
  48
  49         /**
  50          * @var string $method Identifies which password reset field was specified by the user.
  51          */
  52         private $method;
  53
  54         public function __construct() {
  55                 parent::__construct( 'PasswordReset', 'editmyprivateinfo' );
  56                 $this->passwordReset = new PasswordReset( $this->getConfig(), AuthManager::singleton() );
  57         }
  58
  59         public function doesWrites() {
  60                 return true;
  61         }
  62
  63         public function userCanExecute( User $user ) {
  64                 return $this->passwordReset->isAllowed( $user )->isGood();
  65         }
  66
  67         public function checkExecutePermissions( User $user ) {
  68                 $status = Status::wrap( $this->passwordReset->isAllowed( $user ) );
  69                 if ( !$status->isGood() ) {
  70                         throw new ErrorPageError( 'internalerror', $status->getMessage() );
  71                 }
  72
  73                 parent::checkExecutePermissions( $user );
  74         }
  75
  76         protected function getFormFields() {
  77                 $resetRoutes = $this->getConfig()->get( 'PasswordResetRoutes' );
  78                 $a = [];
  79                 if ( isset( $resetRoutes['username'] ) && $resetRoutes['username'] ) {
  80                         $a['Username'] = [
  81                                 'type' => 'text',
  82                                 'label-message' => 'passwordreset-username',
  83                         ];
  84
  85                         if ( $this->getUser()->isLoggedIn() ) {
  86                                 $a['Username']['default'] = $this->getUser()->getName();
  87                         }
  88                 }
  89
  90                 if ( isset( $resetRoutes['email'] ) && $resetRoutes['email'] ) {
  91                         $a['Email'] = [
  92                                 'type' => 'email',
  93                                 'label-message' => 'passwordreset-email',
  94                         ];
  95                 }
  96
  97                 if ( $this->getUser()->isAllowed( 'passwordreset' ) ) {
  98                         $a['Capture'] = [
  99                                 'type' => 'check',
 100                                 'label-message' => 'passwordreset-capture',
 101                                 'help-message' => 'passwordreset-capture-help',
 102                         ];
 103                 }
 104
 105                 return $a;
 106         }
 107
 108         protected function getDisplayFormat() {
 109                 return 'ooui';
 110         }
 111
 112         public function alterForm( HTMLForm $form ) {
 113                 $resetRoutes = $this->getConfig()->get( 'PasswordResetRoutes' );
 114
 115                 $form->addHiddenFields( $this->getRequest()->getValues( 'returnto', 'returntoquery' ) );
 116
 117                 $i = 0;
 118                 if ( isset( $resetRoutes['username'] ) && $resetRoutes['username'] ) {
 119                         $i++;
 120                 }
 121                 if ( isset( $resetRoutes['email'] ) && $resetRoutes['email'] ) {
 122                         $i++;
 123                 }
 124
 125                 $message = ( $i > 1 ) ? 'passwordreset-text-many' : 'passwordreset-text-one';
 126
 127                 $form->setHeaderText( $this->msg( $message, $i )->parseAsBlock() );
 128                 $form->setSubmitTextMsg( 'mailmypassword' );
 129         }
 130
 131         /**
 132          * Process the form.  At this point we know that the user passes all the criteria in
 133          * userCanExecute(), and if the data array contains 'Username', etc, then Username
 134          * resets are allowed.
 135          * @param array $data
 136          * @throws MWException
 137          * @throws ThrottledError|PermissionsError
 138          * @return Status
 139          */
 140         public function onSubmit( array $data ) {
 141                 if ( isset( $data['Capture'] ) && !$this->getUser()->isAllowed( 'passwordreset' ) ) {
 142                         // The user knows they don't have the passwordreset permission,
 143                         // but they tried to spoof the form. That's naughty
 144                         throw new PermissionsError( 'passwordreset' );
 145                 }
 146
 147                 $username = isset( $data['Username'] ) ? $data['Username'] : null;
 148                 $email = isset( $data['Email'] ) ? $data['Email'] : null;
 149                 $capture = !empty( $data['Capture'] );
 150
 151                 $this->method = $username ? 'username' : 'email';
 152                 $this->result = Status::wrap(
 153                         $this->passwordReset->execute( $this->getUser(), $username, $email, $capture ) );
 154                 if ( $capture && $this->result->isOK() ) {
 155                         $this->passwords = $this->result->getValue();
 156                 }
 157
 158                 if ( $this->result->hasMessage( 'actionthrottledtext' ) ) {
 159                         throw new ThrottledError;
 160                 }
 161
 162                 return $this->result;
 163         }
 164
 165         public function onSuccess() {
 166                 if ( $this->getUser()->isAllowed( 'passwordreset' ) && $this->passwords ) {
 167                         // @todo Logging
 168
 169                         if ( $this->result->isGood() ) {
 170                                 $this->getOutput()->addWikiMsg( 'passwordreset-emailsent-capture2',
 171                                         count( $this->passwords ) );
 172                         } else {
 173                                 $this->getOutput()->addWikiMsg( 'passwordreset-emailerror-capture2',
 174                                         $this->result->getMessage(), key( $this->passwords ), count( $this->passwords ) );
 175                         }
 176
 177                         $this->getOutput()->addHTML( Html::openElement( 'ul' ) );
 178                         foreach ( $this->passwords as $username => $pwd ) {
 179                                 $this->getOutput()->addHTML( Html::rawElement( 'li', [],
 180                                         htmlspecialchars( $username, ENT_QUOTES )
 181                                         . $this->msg( 'colon-separator' )->text()
 182                                         . htmlspecialchars( $pwd, ENT_QUOTES )
 183                                 ) );
 184                         }
 185                         $this->getOutput()->addHTML( Html::closeElement( 'ul' ) );
 186                 }
 187
 188                 if ( $this->method === 'email' ) {
 189                         $this->getOutput()->addWikiMsg( 'passwordreset-emailsentemail' );
 190                 } else {
 191                         $this->getOutput()->addWikiMsg( 'passwordreset-emailsentusername' );
 192                 }
 193
 194                 $this->getOutput()->returnToMain();
 195         }
 196
 197         /**
 198          * Hide the password reset page if resets are disabled.
 199          * @return bool
 200          */
 201         public function isListed() {
 202                 if ( $this->passwordReset->isAllowed( $this->getUser() )->isGood() ) {
 203                         return parent::isListed();
 204                 }
 205
 206                 return false;
 207         }
 208
 209         protected function getGroupName() {
 210                 return 'users';
 211         }
 212 }