Last modified: 2010-05-15 15:48:32 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 9778 - Error if AuthPlugin autoCreate returns true and allowPasswordChange returns false
Error if AuthPlugin autoCreate returns true and allowPasswordChange returns f...
Status: RESOLVED DUPLICATE of bug 8815
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
PC All
: Normal normal with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2007-05-03 20:34 UTC by Mark Nelson
Modified: 2010-05-15 15:48 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Mark Nelson 2007-05-03 20:34:11 UTC
If an implementation of AuthPlugin returns true from autoCreate, and false from
allowChangePassword, then an error results when attempting to create the new
record for a user who successfully authenticates for the first time.

The trace is essentially:
1. (line 357 of SpecialUserlogin.php) The user has successfully authenticated
but has an id of 0 and the AuthPlugin implementation has returned true from
autoCreate so  a call is made to initUser to create the new local user record.

2. (line 311 of SpecialUserlogin.php) initUser calls setPassword on the user
object as part of initializing it before saving it to the local database.

3.  (line 1332 of User.php) setPassword checks the AuthPlugin implementation and
sees that allowPasswordChange returns false. Therefore it throws an error.

Scenario:  We authenticate remotely against LDAP. Our users can only change
their password using a central facility outside of the Wiki.  We want new
accounts to be created in our Wiki for any user who has succesfully
authenticated, but we do not want them to maintain a password in the local Wiki
database.  Therefore we implemented autoCreate to return true and
allowPasswordChange to return false in our AuthPlugin subclass.

Possible resolution:
Only call setPassword from initUser conditionally based on the return value from
the AuthPlugin subclass' implementation of allowPasswordChange.
Comment 1 Brion Vibber 2007-05-04 14:11:12 UTC
Please test with 1.10.0rc1, as some behavior has changed:
Please note that the setPasswordInternal() function should be used to set the
password "internally" bypassing validity checks and the authentication backend.
Comment 2 Brion Vibber 2007-05-04 14:13:22 UTC

*** This bug has been marked as a duplicate of 8815 ***

Note You need to log in before you can comment on or make changes to this bug.