Last modified: 2010-05-15 15:48:32 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T11778, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 9778 - Error if AuthPlugin autoCreate returns true and allowPasswordChange returns false
Error if AuthPlugin autoCreate returns true and allowPasswordChange returns f...
Status: RESOLVED DUPLICATE of bug 8815
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.9.x
PC All
: Normal normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-03 20:34 UTC by Mark Nelson
Modified: 2010-05-15 15:48 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Mark Nelson 2007-05-03 20:34:11 UTC
If an implementation of AuthPlugin returns true from autoCreate, and false from
allowChangePassword, then an error results when attempting to create the new
record for a user who successfully authenticates for the first time.

The trace is essentially:
1. (line 357 of SpecialUserlogin.php) The user has successfully authenticated
but has an id of 0 and the AuthPlugin implementation has returned true from
autoCreate so  a call is made to initUser to create the new local user record.

2. (line 311 of SpecialUserlogin.php) initUser calls setPassword on the user
object as part of initializing it before saving it to the local database.

3.  (line 1332 of User.php) setPassword checks the AuthPlugin implementation and
sees that allowPasswordChange returns false. Therefore it throws an error.



Scenario:  We authenticate remotely against LDAP. Our users can only change
their password using a central facility outside of the Wiki.  We want new
accounts to be created in our Wiki for any user who has succesfully
authenticated, but we do not want them to maintain a password in the local Wiki
database.  Therefore we implemented autoCreate to return true and
allowPasswordChange to return false in our AuthPlugin subclass.

Possible resolution:
Only call setPassword from initUser conditionally based on the return value from
the AuthPlugin subclass' implementation of allowPasswordChange.
Comment 1 Brion Vibber 2007-05-04 14:11:12 UTC
Please test with 1.10.0rc1, as some behavior has changed:
Please note that the setPasswordInternal() function should be used to set the
password "internally" bypassing validity checks and the authentication backend.
Comment 2 Brion Vibber 2007-05-04 14:13:22 UTC

*** This bug has been marked as a duplicate of 8815 ***

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links