Page MenuHomePhabricator

If users ip not in allowed range, botpassword gives error about username/password
Open, Needs TriagePublic

Description

From T188111, specifically T188111#3997503

Exception: API login phase2 gave result Failed with reason "Incorrect username or password entered. Please try again.", expected "Success"

If a login attempt is disallowed due to a bot passwords ip range limitation... Should the error message give more of a hint to this extent?

Even if it's kept as a fairly generic error (obviously it shouldn't be telling the user what the allowed IP ranges are)

Event Timeline

A look at the code...

		// Check restrictions
		$status = $bp->getRestrictions()->check( $request );
		if ( !$status->isOK() ) {
			return Status::newFatal( 'botpasswords-restriction-failed' );
		}

and

	/**
	 * Test against the passed WebRequest
	 * @param WebRequest $request
	 * @return Status
	 */
	public function check( WebRequest $request ) {
		$ok = [
			'ip' => $this->checkIP( $request->getIP() ),
		];
		$status = Status::newGood();
		$status->setResult( $ok === array_filter( $ok ), $ok );
		return $status;
	}

	/**
	 * Test an IP address
	 * @param string $ip
	 * @return bool
	 */
	public function checkIP( $ip ) {
		foreach ( $this->ipAddresses as $range ) {
			if ( \IP::isInRange( $ip, $range ) ) {
				return true;
			}
		}

		return false;
	}

Should be throwing out

	"botpasswords-restriction-failed": "Bot password restrictions prevent this login.",

Instead, it seems to be getting

	"wrongpassword": "Incorrect username or password entered.\nPlease try again.",

Is something eating/overriding this error further up the stack?

See af37a4c7. Get rid of weird usernames, revert that change and you'll get nice error messages.