Topic on Extension talk:UserAdmin/Flow

Patch for MW 1.24.1 and external authentication

1
Liamgretton (talkcontribs)

We've found a few problems with UserAdmin and MW 1.24.1:

  • User::ValidEmailAddr() is gone, it's necessary to use Sanitizer::validateEmail() instead.
  • wfLoadExtensionMessages() is no longer required.

The patch below for UserAdmin 0.9.1 fixes these problems and adds a configuration variable $wgUserAdminExternalAuth. If true, then UserAdmin basically disables all the password options. In our setup we use LDAP for authNZ and don't want local passwords.

I haven't looked at submitting this to the UserAdmin author for consideration yet, but I post it here in case it's useful for anyone else.

--- README
+++ README
@@ -7,6 +7,9 @@ private wikis that require tighter contr
 Usage:
        require_once("$IP/extensions/UserAdmin/UserAdmin.php"); in LocalSettings.php

+If $wgUserAdminExternalAuth is true, then password options are not used. It is
+assumed that users are authenticated against an external authority such as LDAP.
+
 Docs: http://www.mediawiki.org/wiki/Extension:UserAdmin
 Author: Lance Gatlin <lance.gatlin@gmail.com> Ap.Muthu <apmuthu@usa.net>
 License: http://opensource.org/licenses/gpl-3.0.html GNU Public License 3.0
--- SpecialAddUser.class.php
+++ SpecialAddUser.class.php
@@ -89,7 +89,7 @@ class SpecialAddUser extends SpecialUADM
    */
   function doGET()
   {
-    global $wgLang, $wgOut, $wgUser, $wgAuth;
+    global $wgLang, $wgOut, $wgUser, $wgAuth, $wgUserAdminExternalAuth;

     $this->validateGETParams();

@@ -183,7 +183,7 @@ EOT;
 EOT;
     }

-    return <<<EOT
+    $previewHTML = <<<EOT
 <form id="adduserform" name="input" action="$postURL" method="post" class="visualClear">
   <input type="hidden" name="edittoken" value="$editToken"/>
   <fieldset>
@@ -207,6 +207,10 @@ $domainHTML
       <legend>$this->editgroupslabel</legend>
       $groupsHTML
     </fieldset>
+EOT;
+    # Don't display the password stuff if we're externally authenticating.
+    if ( !$wgUserAdminExternalAuth ) {
+      $previewHTML .= <<<EOT
     <fieldset>
       <legend>$this->editpasswordlabel</legend>
       <input id="pwdmanual" type="radio" name="pwdaction" value="manual" $setPasswordChecked/> <label for="pwdmanual">$this->setpasswordforuserlabel</label><br/>
@@ -223,11 +227,17 @@ $domainHTML
       <input id="pwdemailwelcome" type="radio" name="pwdaction" value="emailwelcome" $emailWelcomeChecked/> <label for="pwdemailwelcome">$this->emailwelcomelabel</label> <button type="submit" name="action" value="emailwelcomepreview">$this->previewactionlabel</button> (<a href="$welcomeTitleHref">$this->subjectlabel</a> | <a href="$welcomeTextHref">$this->bodylabel</a>)<br/>
       $previewWelcomeEmailHTML
     </fieldset>
+EOT;
+    }
+
+    $previewHTML .= <<<EOT
+
     <button type="submit" name="action" value="adduser">$this->adduserlabel</button>
   </fieldset>
 </form>
 $returnToHTML
 EOT;
+    return $previewHTML;
   }

   /*
@@ -235,7 +245,7 @@ EOT;
    */
   function validatePOSTParams()
   {
-    global $wgUser, $wgAuth;
+    global $wgUser, $wgAuth, $wgUserAdminExternalAuth;

     // Validate FORM
     if(empty($this->username))
@@ -266,24 +276,26 @@ EOT;
     if(empty($this->email))
       throw new InvalidPOSTParamException(wfMsg('uadm-fieldisrequiredmsg',$this->emailfield));

-    if(!User::isValidEmailAddr($this->email))
+    if(!Sanitizer::validateEmail($this->email))
       throw new InvalidPOSTParamException(wfMsg('uadm-invalidemailmsg',$this->emailfield));

-    if(empty($this->pwdaction))
-      throw new InvalidPOSTParamException(wfMsg('uadm-formsubmissionerrormsg'));
-
-    if($this->pwdaction == 'manual')
-    {
-      if(empty($this->password1) || empty($this->password2))
-        throw new InvalidPOSTParamException(wfMsg('uadm-fieldisrequiredmsg',$this->passwordfield));
+    # Ignore password bits if we're externally authenticating
+    if ( !$wgUserAdminExternalAuth ) {
+      if(empty($this->pwdaction))
+        throw new InvalidPOSTParamException(wfMsg('uadm-formsubmissionerrormsg'));

-      if($this->password1 != $this->password2)
-        throw new InvalidPOSTParamException(wfMsg('uadm-passwordsmustmatchmsg'));
-
+      if($this->pwdaction == 'manual')
+      {
+        if(empty($this->password1) || empty($this->password2))
+          throw new InvalidPOSTParamException(wfMsg('uadm-fieldisrequiredmsg',$this->passwordfield));
+
+        if($this->password1 != $this->password2)
+          throw new InvalidPOSTParamException(wfMsg('uadm-passwordsmustmatchmsg'));
+
+      }
+      elseif($this->pwdaction != 'email' && $this->pwdaction != 'emailwelcome')
+        throw new InvalidPOSTParamException(wfMsg('uadm-formsubmissionerrormsg'));
     }
-    elseif($this->pwdaction != 'email' && $this->pwdaction != 'emailwelcome')
-      throw new InvalidPOSTParamException(wfMsg('uadm-formsubmissionerrormsg'));
-

   }

@@ -294,7 +306,7 @@ EOT;
    */
   function doPOST()
   {
-    global $wgUser, $wgAuth;
+    global $wgUser, $wgAuth, $wgUserAdminExternalAuth;

     switch($this->action)
     {
@@ -328,29 +340,35 @@ EOT;
     $successWikiText = array();
     $successWikiText[] = wfMsg('uadm-newusersuccessmsg', $this->username);

-    $userPassword = '';
-    switch($this->pwdaction)
-    {
-      case 'manual' :
-        try {
-          $user->setPassword($this->password1);
-          $userPassword = $this->password1;
-        }
-        catch(PasswordError $pe)
-        {
-          return $this->getPOSTRedirectURL(false, wfMsg('uadm-passworderrormsg') . $pe->getText());
-        }
-        $successWikiText[] = wfMsg('uadm-passwordchangesuccessmsg',$this->username);
-        break;
-
-      case 'emailwelcome' :
-        $result = self::mailWelcomeAndPassword($user);
-
-        if( WikiError::isError( $result ) )
-          return $this->getPOSTRedirectURL( false, wfMsg( 'uadm-mailerror', $result->getMessage() ) );
-
-        $successWikiText[] = wfMsg('uadm-welcomeemailsuccessmsg', $this->username, $this->email);
-        break;
+    # Don't bother with password if we're authenticating externally
+    if ( !$wgUserAdminExternalAuth ) {
+      $userPassword = '';
+      switch($this->pwdaction)
+      {
+        case 'manual' :
+          try {
+            $user->setPassword($this->password1);
+            $userPassword = $this->password1;
+          }
+          catch(PasswordError $pe)
+          {
+            return $this->getPOSTRedirectURL(false, wfMsg('uadm-passworderrormsg') . $pe->getText());
+          }
+          $successWikiText[] = wfMsg('uadm-passwordchangesuccessmsg',$this->username);
+          break;
+
+        case 'emailwelcome' :
+          $result = self::mailWelcomeAndPassword($user);
+
+          if( WikiError::isError( $result ) )
+            return $this->getPOSTRedirectURL( false, wfMsg( 'uadm-mailerror', $result->getMessage() ) );
+
+          $successWikiText[] = wfMsg('uadm-welcomeemailsuccessmsg', $this->username, $this->email);
+          break;
+      }
+    } else {
+      # Just set a dummy random password which will never be used
+      $userPassword = substr(str_shuffle(MD5(microtime())), 0, 10);
     }

     $user->setToken();
@@ -408,4 +426,4 @@ EOT;
     // user just added
     return $this->getSpecialPageURL('EditUser',$this->username, array('statusmsg' => base64_encode($successWikiText), 'statusok' => true, 'returnto' => $this->returnto));
   }
-}
\ No newline at end of file
+}
--- SpecialEditUser.class.php
+++ SpecialEditUser.class.php
@@ -124,7 +124,7 @@ class SpecialEditUser extends SpecialUAD
    */
   function doGET()
   {
-    global $wgLang, $wgOut, $wgUser, $wgAuth;
+    global $wgLang, $wgOut, $wgUser, $wgAuth, $wgUserAdminExternalAuth;

     $user = $this->validateGETParams();

@@ -316,7 +316,7 @@ EOT;
 EOT;
     }

-    return <<<EOT
+    $previewHTML = <<<EOT
 <form id="edituserform" name="input" action="$postURL" method="post" class="visualClear">
   <input type="hidden" name="edittoken" value="$editToken"/>
   <fieldset>
@@ -364,6 +364,9 @@ $domainHTML
       <legend>$this->editgroupslabel:</legend>
       $groupsHTML
     </fieldset>
+EOT;
+    if ( !$wgUserAdminExternalAuth ) {
+      $previewHTML .= <<<EOT
     <fieldset>
       <legend>$this->editpasswordlabel:</legend>
       <input id="pwdmanual" type="radio" name="pwdaction" value="manual" $pwdSetPasswordChecked/> <label for="pwdmanual">$this->setpasswordforuserlabel:</label><br/>
@@ -383,6 +386,9 @@ $domainHTML
       $previewWelcomeEmailHTML
       <input id="pwdnochange" type="radio" name="pwdaction" value="nochange" $pwdNoChangeChecked/> <label for="pwdnochange">$this->nochangetopasswordlabel</label><br/>
     </fieldset>
+EOT;
+    }
+    $previewHTML .= <<<EOT
     <label for="reason">$this->reasonlabel:</label> <input id="reason" type="text" name="reason" size="60" maxlength="255" value="$this->reason"/> $this->requiredlabel<br/>
     <button type="submit" name="action" value="saveuser">$this->saveuserlabel</button>
   </fieldset>
@@ -390,6 +396,7 @@ $domainHTML
 $searchFormHTML
 $returnToHTML
 EOT;
+    return $previewHTML;
     }

   /*
@@ -397,7 +404,7 @@ EOT;
    */
   function validatePOSTParams()
   {
-    global $wgUser, $wgAuth;
+    global $wgUser, $wgAuth, $wgUserAdminExternalAuth;

     $user = User::newFromId($this->userid);
     if(!$user->loadFromId())
@@ -436,26 +443,29 @@ EOT;
     if(empty($this->email))
       throw new InvalidPOSTParamException(wfMsg('uadm-fieldisrequiredmsg',$this->emailfield));

-    if(!User::isValidEmailAddr($this->email))
+    if(!Sanitizer::validateEmail($this->email))
       throw new InvalidPOSTParamException(wfMsg('uadm-invalidemailmsg',$this->emailfield));

     if(empty($this->reason))
       throw new InvalidPOSTParamException(wfMsg('uadm-fieldisrequiredmsg',$this->reasonfield));

-    if(empty($this->pwdaction))
-      throw new InvalidPOSTParamException(wfMsg('uadm-formsubmissionerrormsg'));
-
-    if($this->action == 'saveuser' && $this->pwdaction == 'manual')
-    {
-      if(empty($this->password1) || empty($this->password2))
-        throw new InvalidPOSTParamException(wfMsg('uadm-fieldisrequiredmsg',$this->passwordfield));
-
-      if($this->password1 != $this->password2)
-        throw new InvalidPOSTParamException(wfMsg('uadm-passwordsmustmatchmsg'));
-
-//      $result = $user->checkPassword($this->password1);
-//      if($result !== true)
-//        throw new InvalidPOSTParamException(wfMsg('uadm-invalidpasswordmsg'));
+    # Ignore password information if we're authenticating externally
+    if ( !$wgUserAdminExternalAuth ) {
+      if(empty($this->pwdaction))
+        throw new InvalidPOSTParamException(wfMsg('uadm-formsubmissionerrormsg'));
+
+      if($this->action == 'saveuser' && $this->pwdaction == 'manual')
+      {
+        if(empty($this->password1) || empty($this->password2))
+          throw new InvalidPOSTParamException(wfMsg('uadm-fieldisrequiredmsg',$this->passwordfield));
+
+        if($this->password1 != $this->password2)
+          throw new InvalidPOSTParamException(wfMsg('uadm-passwordsmustmatchmsg'));
+
+  //      $result = $user->checkPassword($this->password1);
+  //      if($result !== true)
+  //        throw new InvalidPOSTParamException(wfMsg('uadm-invalidpasswordmsg'));
+      }
     }

     return $user;
@@ -646,4 +656,4 @@ EOT;

     return $this->getPOSTRedirectURL(true, $successWikiText);
   }
-}
\ No newline at end of file
+}
--- SpecialUADMBase.class.php
+++ SpecialUADMBase.class.php
@@ -56,8 +56,6 @@ abstract class SpecialUADMBase extends S
   {
     parent::__construct($name, $rights);

-    wfLoadExtensionMessages('UserAdmin');
-
     $this->mURL = $this->getTitle()->getLocalURL();
   }

@@ -603,4 +601,4 @@ EOT;
 EOT;
   }

-}
\ No newline at end of file
+}
--- UserAdmin.php
+++ UserAdmin.php
@@ -37,6 +37,9 @@ $wgExtensionCredits['specialpage'][] = a

 $dir = dirname(__FILE__) . '/';

+# wgUserAdminExternalAuth indicates that external auth is used (e.g. LDAP) instead of passwords.
+$wgUserAdminExternalAuth = false;
+
 $wgExtensionMessagesFiles['UserAdmin'] = $dir . 'UserAdmin.i18n.php';

 $wgAutoloadClasses['SpecialUserAdminPanel'] = $dir . 'SpecialUserAdminPanel.class.php';
Reply to "Patch for MW 1.24.1 and external authentication"