Page MenuHomePhabricator

User::setPassword checks wgAuth->allowPasswordChange -- wrong??
Closed, ResolvedPublic


Author: Webbed.Pete

AFAIK, Auth->allowPasswordChange is documented and coded to validate whether
users (via preferences) are allowed to modify their password in MW.

Examples such as AutoAuth use User::setPassword to force the MW password to an
invalid hash such as 'nologin'

Unfortunately, to do so right now requires that the Auth plugin enable user
password changes, because of this test in User::setPassword (line 1387).

It appears to be appropriate and safe to remove the test completely.
setPassword() accomplishes the correct test, and is already used.

See attached patch.

Version: 1.10.x
Severity: minor
OS: Windows XP
Platform: PC



Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 9:37 PM
bzimport set Reference to bz9271.
bzimport added a subscriber: Unknown Object (MLST).

Webbed.Pete wrote:

Patch to remove bogus allowPasswordChange() test


  • This bug has been marked as a duplicate of 8815 ***