Audit extensions using deprecated User methods
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Tgr
	Aug 26 2015, 11:48 PM

Description

AuthManager deprecates/deletes a number of public User methods:

expirePassword
resetPasswordExpiration
getPasswordExpired
getPasswordExpireDate
getPasswordFactory
getPassword
setPassword
checkPassword
getTemporaryPassword
checkTemporaryPassword
setInternalPassword
setNewpassword
isPasswordReminderThrottled
randomPassword
passwordChangeInputAttribs

and properties:

$mPassword
$mNewpassword
$mNewpassTime
$mPasswordExpires

On the off chance that some extension is using these, it will need to be updated to work with AuthManager.

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		• Deskana	T75616 Tracking: API/backend issues blocking Wikipedia app development
Resolved		Anomie	T32788 Allow triggering of user password reset email via the API
Open		None	T90925 General authentication improvements for MediaWiki
Resolved		Anomie	T48179 Allow a challenge stage during authentication
Open		None	T5709 Refactoring to make external authentication and identity systems easier
Resolved		Tgr	T43201 UserLoadFromSession considered evil
Resolved		Anomie	T67493 Session is started by EditAction (problem for extensions using UserLoadFromSession hook)
Open	Feature	None	T55156 Provide option to force a login session to end within a certain time
Open		None	T89459 Modernize MediaWiki authentication system (AuthManager)
Resolved		Anomie	T110412 Find and assess extensions affected by AuthManager
Resolved		Anomie	T110433 Audit extensions using deprecated User methods

Event Timeline

Tgr created this task.Aug 26 2015, 11:48 PM

Tgr raised the priority of this task from to Needs Triage.

Tgr updated the task description. (Show Details)

Tgr added projects: MediaWiki-Core-AuthManager, Reading-Infrastructure-Team-Old (Don't use), MediaWiki-extensions-General.

Tgr added subscribers: Aklapper, Tgr.

bd808 moved this task from Backlog to AuthManager Backlog on the MediaWiki-Core-AuthManager board.Aug 28 2015, 5:25 PM

Tgr mentioned this in T110756: Come up with AuthManager migration strategy.Aug 28 2015, 11:47 PM

Quoting @Anomie's earlier email:

Password manipulation itself:
->mPassword (sadly public!)
->mNewpassword (ditto!)
->isValidPassword() / ->getPasswordValidity() / ->checkPasswordValidity()
->getPassword()
->getTemporaryPassword()
->setPassword()
->setInternalPassword()
->setNewpassword()
->isPasswordReminderThrottled()
Then there's also the stuff for password expiry. It looks like it's mostly unused, actually, except for the minimum necessary so it could work if someone were to use it:

->mNewpassTime (sadly public!)
->mPasswordExpiry (ditto!)
->expirePassword()
->resetPasswordExpiration()
->getPasswordExpired()
->getPasswordExpireDate()
Now-obsolete functions for LoginForm:

->checkPassword()
->checkTemporaryPassword()
And a few miscellaneous static functions:

::getPasswordFactory()
::randomPassword()
::crypt() (already deprecated)
::comparePasswords() (already deprecated)
::passwordChangeInputAttribs() (not deprecated, but a @todo says it shouldn't exist)
Ideally, I'd rip all that out. And mostly it'd be ok, since it's in stuff that really needs update or rewrite for AuthManager anyway (extensions like CentralAuth, ConfirmAccount, SecurePasswords, TwitterLogin, OpenID, BlueSpiceExtensions UserManager, MediaWikiAuth, SemanticSignup, EditAccount where it messes with passwords, OAuthAuthentication, AjaxLogin, SocialLogin). But a few things aren't:
AbuseFilter, TranslationNotifications, MassMessage, DisableAccount, and AutoProxyBlock mess with password stuff when creating their fake users.
Bunch of unit tests do ->setPassword() before adding to the database, which might break if it's assuming LocalPrimaryAuthenticationProvider.
Translate, inexplicably, has its own user creation code.