Page MenuHomePhabricator

Audit extensions using deprecated User methods
Closed, ResolvedPublic


AuthManager deprecates/deletes a number of public User methods:

  • expirePassword
  • resetPasswordExpiration
  • getPasswordExpired
  • getPasswordExpireDate
  • getPasswordFactory
  • getPassword
  • setPassword
  • checkPassword
  • getTemporaryPassword
  • checkTemporaryPassword
  • setInternalPassword
  • setNewpassword
  • isPasswordReminderThrottled
  • randomPassword
  • passwordChangeInputAttribs

and properties:

  • $mPassword
  • $mNewpassword
  • $mNewpassTime
  • $mPasswordExpires

On the off chance that some extension is using these, it will need to be updated to work with AuthManager.

Event Timeline

Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added subscribers: Aklapper, Tgr.

Quoting @Anomie's earlier email:

Password manipulation itself:
->mPassword (sadly public!)
->mNewpassword (ditto!)
->isValidPassword() / ->getPasswordValidity() / ->checkPasswordValidity()
Then there's also the stuff for password expiry. It looks like it's mostly unused, actually, except for the minimum necessary so it could work if someone were to use it:

->mNewpassTime (sadly public!)
->mPasswordExpiry (ditto!)
Now-obsolete functions for LoginForm:

And a few miscellaneous static functions:

::crypt() (already deprecated)
::comparePasswords() (already deprecated)
::passwordChangeInputAttribs() (not deprecated, but a @todo says it shouldn't exist)
Ideally, I'd rip all that out. And mostly it'd be ok, since it's in stuff that really needs update or rewrite for AuthManager anyway (extensions like CentralAuth, ConfirmAccount, SecurePasswords, TwitterLogin, OpenID, BlueSpiceExtensions UserManager, MediaWikiAuth, SemanticSignup, EditAccount where it messes with passwords, OAuthAuthentication, AjaxLogin, SocialLogin). But a few things aren't:
AbuseFilter, TranslationNotifications, MassMessage, DisableAccount, and AutoProxyBlock mess with password stuff when creating their fake users.
Bunch of unit tests do ->setPassword() before adding to the database, which might break if it's assuming LocalPrimaryAuthenticationProvider.
Translate, inexplicably, has its own user creation code.

Tgr assigned this task to Anomie.
Tgr set Security to None.