search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Wrap libxml_disable_entity_loader() calls in version constraint
[mediawiki.git] / includes / user / PasswordReset.php
blob309047e3be3a036f5c18692687f0a333044b9b47
1 <?php
2 /**
3 * User password reset helper for MediaWiki.
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
19 *
20 * @file
21 */
22
23 use MediaWiki\Auth\AuthManager;
24 use MediaWiki\Auth\TemporaryPasswordAuthenticationRequest;
25 use MediaWiki\Config\ServiceOptions;
26 use MediaWiki\HookContainer\HookContainer;
27 use MediaWiki\HookContainer\HookRunner;
28 use MediaWiki\Permissions\PermissionManager;
29 use MediaWiki\User\UserFactory;
30 use MediaWiki\User\UserNameUtils;
31 use MediaWiki\User\UserOptionsLookup;
32 use Psr\Log\LoggerAwareInterface;
33 use Psr\Log\LoggerAwareTrait;
34 use Psr\Log\LoggerInterface;
35 use Wikimedia\Rdbms\ILoadBalancer;
36
37 /**
38 * Helper class for the password reset functionality shared by the web UI and the API.
39 *
40 * Requires the TemporaryPasswordPrimaryAuthenticationProvider and the
41 * EmailNotificationSecondaryAuthenticationProvider (or something providing equivalent
42 * functionality) to be enabled.
43 */
44 class PasswordReset implements LoggerAwareInterface {
45 use LoggerAwareTrait;
46
47 /** @var ServiceOptions */
48 private $config;
49
50 /** @var AuthManager */
51 private $authManager;
52
53 /** @var HookRunner */
54 private $hookRunner;
55
56 /** @var ILoadBalancer */
57 private $loadBalancer;
58
59 /** @var PermissionManager */
60 private $permissionManager;
61
62 /** @var UserFactory */
63 private $userFactory;
64
65 /** @var UserNameUtils */
66 private $userNameUtils;
67
68 /** @var UserOptionsLookup */
69 private $userOptionsLookup;
70
71 /**
72 * In-process cache for isAllowed lookups, by username.
73 * Contains a StatusValue object
74 * @var MapCacheLRU
75 */
76 private $permissionCache;
77
78 /**
79 * @internal For use by ServiceWiring
80 */
81 public const CONSTRUCTOR_OPTIONS = [
82 'AllowRequiringEmailForResets',
83 'EnableEmail',
84 'PasswordResetRoutes',
85 ];
86
87 /**
88 * This class is managed by MediaWikiServices, don't instantiate directly.
89 *
90 * @param ServiceOptions $config
91 * @param LoggerInterface $logger
92 * @param AuthManager $authManager
93 * @param HookContainer $hookContainer
94 * @param ILoadBalancer $loadBalancer
95 * @param PermissionManager $permissionManager
96 * @param UserFactory $userFactory
97 * @param UserNameUtils $userNameUtils
98 * @param UserOptionsLookup $userOptionsLookup
99 */
100 public function __construct(
101 ServiceOptions $config,
102 LoggerInterface $logger,
103 AuthManager $authManager,
104 HookContainer $hookContainer,
105 ILoadBalancer $loadBalancer,
106 PermissionManager $permissionManager,
107 UserFactory $userFactory,
108 UserNameUtils $userNameUtils,
109 UserOptionsLookup $userOptionsLookup
110 ) {
111 $config->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
112
113 $this->config = $config;
114 $this->logger = $logger;
115
116 $this->authManager = $authManager;
117 $this->hookRunner = new HookRunner( $hookContainer );
118 $this->loadBalancer = $loadBalancer;
119 $this->permissionManager = $permissionManager;
120 $this->userFactory = $userFactory;
121 $this->userNameUtils = $userNameUtils;
122 $this->userOptionsLookup = $userOptionsLookup;
123
124 $this->permissionCache = new MapCacheLRU( 1 );
125 }
126
127 /**
128 * Check if a given user has permission to use this functionality.
129 * @param User $user
130 * @since 1.29 Second argument for displayPassword removed.
131 * @return StatusValue
132 */
133 public function isAllowed( User $user ) {
134 $status = $this->permissionCache->get( $user->getName() );
135 if ( !$status ) {
136 $resetRoutes = $this->config->get( 'PasswordResetRoutes' );
137 $status = StatusValue::newGood();
138
139 if ( !is_array( $resetRoutes ) || !in_array( true, $resetRoutes, true ) ) {
140 // Maybe password resets are disabled, or there are no allowable routes
141 $status = StatusValue::newFatal( 'passwordreset-disabled' );
142 } elseif (
143 ( $providerStatus = $this->authManager->allowsAuthenticationDataChange(
144 new TemporaryPasswordAuthenticationRequest(), false ) )
145 && !$providerStatus->isGood()
146 ) {
147 // Maybe the external auth plugin won't allow local password changes
148 $status = StatusValue::newFatal( 'resetpass_forbidden-reason',
149 $providerStatus->getMessage() );
150 } elseif ( !$this->config->get( 'EnableEmail' ) ) {
151 // Maybe email features have been disabled
152 $status = StatusValue::newFatal( 'passwordreset-emaildisabled' );
153 } elseif ( !$this->permissionManager->userHasRight( $user, 'editmyprivateinfo' ) ) {
154 // Maybe not all users have permission to change private data
155 $status = StatusValue::newFatal( 'badaccess' );
156 } elseif ( $this->isBlocked( $user ) ) {
157 // Maybe the user is blocked (check this here rather than relying on the parent
158 // method as we have a more specific error message to use here and we want to
159 // ignore some types of blocks)
160 $status = StatusValue::newFatal( 'blocked-mailpassword' );
161 }
162
163 $this->permissionCache->set( $user->getName(), $status );
164 }
165
166 return $status;
167 }
168
169 /**
170 * Do a password reset. Authorization is the caller's responsibility.
171 *
172 * Process the form. At this point we know that the user passes all the criteria in
173 * userCanExecute(), and if the data array contains 'Username', etc, then Username
174 * resets are allowed.
175 *
176 * @since 1.29 Fourth argument for displayPassword removed.
177 * @param User $performingUser The user that does the password reset
178 * @param string|null $username The user whose password is reset
179 * @param string|null $email Alternative way to specify the user
180 * @return StatusValue
181 * @throws LogicException When the user is not allowed to perform the action
182 * @throws MWException On unexpected DB errors
183 */
184 public function execute(
185 User $performingUser,
186 $username = null,
187 $email = null
188 ) {
189 if ( !$this->isAllowed( $performingUser )->isGood() ) {
190 throw new LogicException(
191 'User ' . $performingUser->getName() . ' is not allowed to reset passwords'
192 );
193 }
194
195 // Check against the rate limiter. If the $wgRateLimit is reached, we want to pretend
196 // that the request was good to avoid displaying an error message.
197 if ( $performingUser->pingLimiter( 'mailpassword' ) ) {
198 return StatusValue::newGood();
199 }
200
201 // We need to have a valid IP address for the hook 'User::mailPasswordInternal', but per T20347,
202 // we should send the user's name if they're logged in.
203 $ip = $performingUser->getRequest()->getIP();
204 if ( !$ip ) {
205 return StatusValue::newFatal( 'badipaddress' );
206 }
207
208 $username = $username ?? '';
209 $email = $email ?? '';
210
211 $resetRoutes = $this->config->get( 'PasswordResetRoutes' )
212 + [ 'username' => false, 'email' => false ];
213 if ( $resetRoutes['username'] && $username ) {
214 $method = 'username';
215 $users = [ $this->userFactory->newFromName( $username ) ];
216 } elseif ( $resetRoutes['email'] && $email ) {
217 if ( !Sanitizer::validateEmail( $email ) ) {
218 // Only email was supplied but not valid: pretend everything's fine.
219 return StatusValue::newGood();
220 }
221 // Only email was provided
222 $method = 'email';
223 $users = $this->getUsersByEmail( $email );
224 $username = null;
225 // Remove users whose preference 'requireemail' is on since username was not submitted
226 if ( $this->config->get( 'AllowRequiringEmailForResets' ) ) {
227 $optionsLookup = $this->userOptionsLookup;
228 foreach ( $users as $index => $user ) {
229 if ( $optionsLookup->getBoolOption( $user, 'requireemail' ) ) {
230 unset( $users[$index] );
231 }
232 }
233 }
234 } else {
235 // The user didn't supply any data
236 return StatusValue::newFatal( 'passwordreset-nodata' );
237 }
238
239 // If the username is not valid, tell the user.
240 if ( $username && !$this->userNameUtils->getCanonical( $username ) ) {
241 return StatusValue::newFatal( 'noname' );
242 }
243
244 // Check for hooks (captcha etc), and allow them to modify the users list
245 $error = [];
246 $data = [
247 'Username' => $username,
248 // Email gets set to null for backward compatibility
249 'Email' => $method === 'email' ? $email : null,
250 ];
251
252 // Recreate the $users array with its values so that we reset the numeric keys since
253 // the key '0' might have been unset from $users array. 'SpecialPasswordResetOnSubmit'
254 // hook assumes that index '0' is defined if $users is not empty.
255 $users = array_values( $users );
256
257 if ( !$this->hookRunner->onSpecialPasswordResetOnSubmit( $users, $data, $error ) ) {
258 return StatusValue::newFatal( Message::newFromSpecifier( $error ) );
259 }
260
261 // Get the first element in $users by using `reset` function just in case $users is changed
262 // in 'SpecialPasswordResetOnSubmit' hook.
263 $firstUser = reset( $users );
264
265 $requireEmail = $this->config->get( 'AllowRequiringEmailForResets' )
266 && $method === 'username'
267 && $firstUser
268 && $this->userOptionsLookup->getBoolOption( $firstUser, 'requireemail' );
269 if ( $requireEmail && ( $email === '' || !Sanitizer::validateEmail( $email ) ) ) {
270 // Email is required, and not supplied or not valid: pretend everything's fine.
271 return StatusValue::newGood();
272 }
273
274 if ( !$users ) {
275 if ( $method === 'email' ) {
276 // Don't reveal whether or not an email address is in use
277 return StatusValue::newGood();
278 } else {
279 return StatusValue::newFatal( 'noname' );
280 }
281 }
282
283 // If the user doesn't exist, or if the user doesn't have an email address,
284 // don't disclose the information. We want to pretend everything is ok per T238961.
285 // Note that all the users will have the same email address (or none),
286 // so there's no need to check more than the first.
287 if ( !$firstUser instanceof User || !$firstUser->getId() || !$firstUser->getEmail() ) {
288 return StatusValue::newGood();
289 }
290
291 // Email is required but the email doesn't match: pretend everything's fine.
292 if ( $requireEmail && $firstUser->getEmail() !== $email ) {
293 return StatusValue::newGood();
294 }
295
296 $this->hookRunner->onUser__mailPasswordInternal( $performingUser, $ip, $firstUser );
297
298 $result = StatusValue::newGood();
299 $reqs = [];
300 foreach ( $users as $user ) {
301 $req = TemporaryPasswordAuthenticationRequest::newRandom();
302 $req->username = $user->getName();
303 $req->mailpassword = true;
304 $req->caller = $performingUser->getName();
305
306 $status = $this->authManager->allowsAuthenticationDataChange( $req, true );
307 // If status is good and the value is 'throttled-mailpassword', we want to pretend
308 // that the request was good to avoid displaying an error message and disclose
309 // if a reset password was previously sent.
310 if ( $status->isGood() && $status->getValue() === 'throttled-mailpassword' ) {
311 return StatusValue::newGood();
312 }
313
314 if ( $status->isGood() && $status->getValue() !== 'ignored' ) {
315 $reqs[] = $req;
316 } elseif ( $result->isGood() ) {
317 // only record the first error, to avoid exposing the number of users having the
318 // same email address
319 if ( $status->getValue() === 'ignored' ) {
320 $status = StatusValue::newFatal( 'passwordreset-ignored' );
321 }
322 $result->merge( $status );
323 }
324 }
325
326 $logContext = [
327 'requestingIp' => $ip,
328 'requestingUser' => $performingUser->getName(),
329 'targetUsername' => $username,
330 'targetEmail' => $email,
331 ];
332
333 if ( !$result->isGood() ) {
334 $this->logger->info(
335 "{requestingUser} attempted password reset of {actualUser} but failed",
336 $logContext + [ 'errors' => $result->getErrors() ]
337 );
338 return $result;
339 }
340
341 DeferredUpdates::addUpdate(
342 new SendPasswordResetEmailUpdate( $this->authManager, $reqs, $logContext ),
343 DeferredUpdates::POSTSEND
344 );
345
346 return StatusValue::newGood();
347 }
348
349 /**
350 * Check whether the user is blocked.
351 * Ignores certain types of system blocks that are only meant to force users to log in.
352 * @param User $user
353 * @return bool
354 * @since 1.30
355 */
356 private function isBlocked( User $user ) {
357 $block = $user->getBlock() ?: $user->getGlobalBlock();
358 if ( !$block ) {
359 return false;
360 }
361 return $block->appliesToPasswordReset();
362 }
363
364 /**
365 * @note This is protected to allow configuring in tests. This class is not stable to extend.
366 *
367 * @param string $email
368 * @return User[]
369 * @throws MWException On unexpected database errors
370 */
371 protected function getUsersByEmail( $email ) {
372 $userQuery = User::getQueryInfo();
373 $res = $this->loadBalancer->getConnectionRef( DB_REPLICA )->select(
374 $userQuery['tables'],
375 $userQuery['fields'],
376 [ 'user_email' => $email ],
377 __METHOD__,
378 [],
379 $userQuery['joins']
380 );
381
382 if ( !$res ) {
383 // Some sort of database error, probably unreachable
384 throw new MWException( 'Unknown database error in ' . __METHOD__ );
385 }
386
387 $users = [];
388 foreach ( $res as $row ) {
389 $users[] = $this->userFactory->newFromRow( $row );
390 }
391 return $users;
392 }
393
394 }
MediaWiki Core