public function execute()
{
if (!class_exists('CentralAuthUser')) {
$this->error("CentralAuth isn't enabled on this wiki\n", 1);
}
$username = $this->getArg(0);
$user = User::newFromName($username);
if ($user === false) {
$this->error("'{$username}' is an invalid username\n", 1);
}
// Normalize username
$username = $user->getName();
if ($user->getId()) {
$this->error("User '{$username}' already exists\n", 1);
} else {
global $wgAuth;
$central = CentralAuthUser::getInstance($user);
if (!$central->exists()) {
$this->error("No such global user: '******'\n", 1);
}
$user->loadDefaults($username);
$user->addToDatabase();
$wgAuth->initUser($user, true);
$wgAuth->updateUser($user);
# Notify hooks (e.g. Newuserlog)
Hooks::run('AuthPluginAutoCreate', array($user));
# Update user count
$ssUpdate = new SiteStatsUpdate(0, 0, 0, 0, 1);
$ssUpdate->doUpdate();
$this->output("User '{$username}' created\n");
}
}
/**
* Check that we can perform the rename
*
* @param User $oldUser
* @param User $newUser
*
* @return Status
*/
public function validate(User $oldUser, User $newUser)
{
$status = new Status();
if (!User::isCreatableName($newUser->getName())) {
$status->fatal('centralauth-rename-badusername');
}
$caOldUser = CentralAuthUser::getInstance($oldUser);
if (!$caOldUser->exists()) {
$status->fatal('centralauth-rename-doesnotexist');
}
$caNewUser = CentralAuthUser::getInstance($newUser);
if ($caNewUser->exists()) {
$status->fatal('centralauth-rename-alreadyexists');
}
$unattached = $caNewUser->listUnattached();
if ($unattached) {
$status->fatal('centralauth-rename-unattached-intheway');
}
// Check we're not currently renaming the user
$renameState = $caOldUser->renameInProgress();
if ($renameState) {
$status->fatal('centralauth-rename-alreadyinprogress', $renameState[1]);
}
return $status;
}
/**
* Get the user object for the user who is doing the renaming
* "Auto-create" if it doesn't exist yet.
* @return User
*/
protected function getRenameUser()
{
$user = User::newFromName($this->params['renamer']);
// If the username is a reserved name, don't worry about the account
// existing, just use it.
if (!User::isUsableName($user->getName())) {
return $user;
}
$caUser = CentralAuthUser::getInstance($user);
// Race condition where the renamer isn't attached here, but
// someone creates an account in the meantime and then bad
// stuff could happen...
// For the meantime, just use a system account
if (!$caUser->attachedOn(wfWikiID()) && $user->getId() !== 0) {
return User::newFromName('Global rename script');
} elseif ($user->getId() == 0) {
// No local user, lets "auto-create" one
if (CentralAuthHooks::attemptAddUser($user)) {
return User::newFromName($user->getName());
// So the internal cache is reloaded
} else {
// Auto-creation didn't work, fallback on the system account.
return User::newFromName('Global rename script');
}
} else {
// Account is attached and exists, just use it :)
return $user;
}
}
public function execute()
{
$user = $this->getUser();
$params = $this->extractRequestParams();
// If we're in JSON callback mode, no tokens can be obtained
if ($this->lacksSameOriginSecurity()) {
$this->dieUsage('Cannot obtain a centralauthtoken when using a callback', 'hascallback');
}
if ($user->isAnon()) {
$this->dieUsage('Anonymous users cannot obtain a centralauthtoken', 'notloggedin');
}
if (CentralAuthHooks::hasApiToken()) {
$this->dieUsage('Cannot obtain a centralauthtoken when using centralauthtoken', 'norecursion');
}
$centralUser = CentralAuthUser::getInstance($user);
if (!$centralUser->exists() || !$centralUser->isAttached()) {
$this->dieUsage('Cannot obtain a centralauthtoken without an attached global account', 'notattached');
}
$data = array('userName' => $user->getName(), 'token' => $centralUser->getAuthToken());
global $wgMemc;
$loginToken = MWCryptRand::generateHex(32) . dechex($centralUser->getId());
$key = CentralAuthUser::memcKey('api-token', $loginToken);
$wgMemc->add($key, $data, 60);
$this->getResult()->addValue(null, $this->getModuleName(), array('centralauthtoken' => $loginToken));
}
/**
* Try to create and attach the user.
* @throws Exception
* @return bool Success
*/
public function run()
{
$username = $this->params['name'];
$from = $this->params['from'];
$wiki = wfWikiID();
if (isset($this->params['session'])) {
// restore IP and other request data
$this->params['session']['userId'] = 0;
$this->params['session']['sessionId'] = '';
$callback = RequestContext::importScopedSession($this->params['session']);
}
$user = User::newFromName($username);
$centralUser = CentralAuthUser::getInstance($user);
if ($user->getId() !== 0) {
wfDebugLog('CentralAuth', __CLASS__ . ": tried to create local account for {$username} " . "on {$wiki} from {$from} but one already exists\n");
return true;
} elseif (!$centralUser->exists()) {
wfDebugLog('CentralAuth', __CLASS__ . ": tried to create local account for {$username} " . "on {$wiki} from {$from} but no global account exists\n");
return true;
} elseif ($centralUser->attachedOn($wiki)) {
wfDebugLog('CentralAuth', __CLASS__ . ": tried to create local account for {$username} " . "on {$wiki} from {$from} but an attached local account already exists\n");
return true;
}
$success = CentralAuthHooks::attemptAddUser($user);
if ($success) {
$centralUser->invalidateCache();
}
return true;
}
/**
* @param $user
* @return bool
*/
function userCanEdit($user)
{
$globalUser = CentralAuthUser::getInstance($user);
# # Should be a global user
if (!$globalUser->exists() || !$globalUser->isAttached()) {
return false;
}
# # Permission MUST be gained from global rights.
return $globalUser->hasGlobalPermission('globalgrouppermissions');
}
public static function newFromUser(\User $user)
{
// Use CentralAuth if available. Use local user to ease testing.
if (class_exists('\\CentralAuthUser')) {
$user = \CentralAuthUser::getInstance($user);
}
if ($user === null) {
throw new \MWException("Unable to find global user for");
}
return new GlobalUser($user);
}
/**
* @covers CentralAuthUser::getInstance
*/
public function testGetInstance()
{
$user = User::newFromName('FooBarBaz');
unset($user->centralAuthObj);
$caUser = CentralAuthUser::getInstance($user);
$this->assertInstanceOf('CentralAuthUser', $caUser);
$this->assertEquals($user->getName(), $caUser->getName());
$this->assertSame($user->centralAuthObj, $caUser);
// Now test it just reads from the cache, no matter what
$user2 = User::newFromName('BazBarFoo');
$user2->centralAuthObj = 'blahblahblah';
$this->assertEquals('blahblahblah', CentralAuthUser::getInstance($user2));
}
function execute($par)
{
global $wgMemc, $wgCentralAuthLoginWiki;
$request = $this->getRequest();
$this->loginWiki = $wgCentralAuthLoginWiki;
if (!$this->loginWiki) {
// Ugh, no central wiki. If we're coming from an edge login, make
// the logged-into wiki the de-facto central wiki for this request
// so auto-login still works.
$fromwiki = $request->getVal('from', $request->getVal('notifywiki'));
if ($fromwiki !== null && WikiMap::getWiki($fromwiki)) {
$this->loginWiki = $fromwiki;
}
} elseif ($request->getVal('from') === wfWikiId() && $wgCentralAuthLoginWiki !== wfWikiId()) {
// Remote wiki must not have wgCentralAuthLoginWiki set, but we do. Redirect them.
$this->do302Redirect($wgCentralAuthLoginWiki, $par, $request->getValues());
return;
}
$params = $request->getValues('type', 'from', 'return', 'returnto', 'returntoquery', 'proto', 'mobile');
switch (strval($par)) {
case 'P3P':
// Explain the bogus P3P header
$this->setHeaders();
$this->getOutput()->addWikiMsg('centralauth-centralautologin-p3p-explanation');
return;
case 'toolslist':
// Do not cache this, we want updated Echo numbers and such.
$this->getOutput()->enableClientCache(false);
$user = $this->getUser();
if (!$user->isAnon()) {
if (!CentralAuthHooks::isUIReloadRecommended($user)) {
$html = $this->getSkin()->getPersonalToolsList();
$json = FormatJSON::encode(array('toolslist' => $html));
} else {
$gender = $this->getUser()->getOption('gender');
if (strval($gender) === '') {
$gender = 'unknown';
}
$json = FormatJSON::encode(array('notify' => array('username' => $user->getName(), 'gender' => $gender)));
}
$this->doFinalOutput(true, 'OK', $json, 'json');
} else {
$this->doFinalOutput(false, 'Not logged in', '', 'json');
}
return;
case 'refreshCookies':
// Refresh central cookies (e.g. in case 'remember me' was set)
// Do not cache this, we need to reset the cookies every time.
$this->getOutput()->enableClientCache(false);
if (!$wgCentralAuthLoginWiki || !$this->checkIsCentralWiki($wikiid)) {
return;
}
CentralAuthUser::setP3P();
$centralUser = CentralAuthUser::getInstance($this->getUser());
if ($centralUser && $centralUser->getId()) {
$centralSession = $this->getCentralSession($centralUser, $this->getUser());
// Refresh 'remember me' preference
$remember = (bool) $centralSession['remember'];
if ($remember != $this->getUser()->getBoolOption('rememberpassword')) {
$this->getUser()->setOption('rememberpassword', $remember ? 1 : 0);
$this->getUser()->saveSettings();
}
$secureCookie = $centralSession['secureCookies'];
$centralUser->setGlobalCookies($remember, false, $secureCookie, $centralSession);
$this->doFinalOutput(true, 'success');
} else {
$this->doFinalOutput(false, 'Not logged in');
}
return;
case 'deleteCookies':
// Delete central cookies
// Do not cache this, we need to reset the cookies every time.
$this->getOutput()->enableClientCache(false);
if ($this->getUser()->isLoggedIn()) {
$this->doFinalOutput(false, 'Cannot delete cookies while still logged in');
return;
}
CentralAuthUser::setP3P();
CentralAuthUser::deleteGlobalCookies();
$this->doFinalOutput(true, 'success');
return;
case 'start':
// Main entry point
// Note this is safe to cache, because the cache already varies on
// the session cookies.
$this->getOutput()->setSquidMaxage(1200);
if (!$this->checkIsLocalWiki()) {
return;
}
CentralAuthUser::setP3P();
$this->do302Redirect($this->loginWiki, 'checkLoggedIn', array('wikiid' => wfWikiID(), 'proto' => $request->detectProtocol()) + $params);
return;
case 'checkLoggedIn':
// Check if we're logged in centrally
// Note this is safe to cache, because the cache already varies on
// the session cookies.
$this->getOutput()->setSquidMaxage(1200);
if (!$this->checkIsCentralWiki($wikiid)) {
return;
}
CentralAuthUser::setP3P();
if ($this->getUser()->isLoggedIn()) {
$centralUser = CentralAuthUser::getInstance($this->getUser());
} else {
$this->doFinalOutput(false, 'Not centrally logged in', self::getInlineScript('anon-set.js'));
return;
}
// We're pretty sure this user is logged in, so pass back
// headers to prevent caching, just in case
$this->getOutput()->enableClientCache(false);
$memcData = array('gu_id' => $centralUser->getId());
$token = MWCryptRand::generateHex(32);
$key = CentralAuthUser::memcKey('centralautologin-token', $token);
$wgMemc->set($key, $memcData, 60);
$this->do302Redirect($wikiid, 'createSession', array('token' => $token) + $params);
return;
case 'createSession':
// Create the local session and shared memcache token
if (!$this->checkIsLocalWiki()) {
return;
}
CentralAuthUser::setP3P();
$token = $request->getVal('token', '');
$gid = $request->getVal('gu_id', '');
if ($token !== '') {
// Load memc data
$key = CentralAuthUser::memcKey('centralautologin-token', $token);
$memcData = $wgMemc->get($key);
$wgMemc->delete($key);
if (!$memcData || !isset($memcData['gu_id'])) {
$this->doFinalOutput(false, 'Invalid parameters');
return;
}
$gu_id = intval($memcData['gu_id']);
} elseif ($gid !== '') {
// Cached, or was logging in as we switched from gu_id to token
$gu_id = intval($gid);
} else {
$this->doFinalOutput(false, 'Invalid parameters');
return;
}
if ($gu_id <= 0) {
$this->doFinalOutput(false, 'Not centrally logged in', self::getInlineScript('anon-set.js'));
return;
}
// At this point we can't cache anymore because we need to set
// cookies and memc each time.
$this->getOutput()->enableClientCache(false);
// Ensure that a session exists
if (session_id() == '') {
wfSetupSession();
}
// Create memc token
$wikiid = wfWikiID();
$memcData = array('gu_id' => $gu_id, 'wikiid' => $wikiid);
$token = MWCryptRand::generateHex(32);
$key = CentralAuthUser::memcKey('centralautologin-token', $token, $wikiid);
$wgMemc->set($key, $memcData, 60);
// Save memc token for the 'setCookies' step
$request->setSessionData('centralautologin-token', $token);
$this->do302Redirect($this->loginWiki, 'validateSession', array('token' => $token, 'wikiid' => $wikiid) + $params);
return;
case 'validateSession':
// Validate the shared memcached token
// Do not cache this, we need to reset the cookies and memc every time.
$this->getOutput()->enableClientCache(false);
if (!$this->checkIsCentralWiki($wikiid)) {
return;
}
if (!$this->getUser()->isLoggedIn()) {
$this->doFinalOutput(false, 'Not logged in');
return;
}
CentralAuthUser::setP3P();
// Validate params
$token = $request->getVal('token', '');
if ($token === '') {
$this->doFinalOutput(false, 'Invalid parameters');
return;
}
// Load memc data
$key = CentralAuthUser::memcKey('centralautologin-token', $token, $wikiid);
$memcData = $wgMemc->get($key);
$wgMemc->delete($key);
// Check memc data
$centralUser = CentralAuthUser::getInstance($this->getUser());
if (!$memcData || $memcData['wikiid'] !== $wikiid || !$centralUser || !$centralUser->getId() || $memcData['gu_id'] != $centralUser->getId()) {
$this->doFinalOutput(false, 'Invalid parameters');
return;
}
// Write info for session creation into memc
$centralSession = $this->getCentralSession($centralUser, $this->getUser());
$memcData += array('userName' => $centralUser->getName(), 'token' => $centralUser->getAuthToken(), 'finalProto' => $centralSession['finalProto'], 'secureCookies' => $centralSession['secureCookies'], 'remember' => $centralSession['remember'], 'sessionId' => $centralSession['sessionId']);
$wgMemc->set($key, $memcData, 60);
$this->do302Redirect($wikiid, 'setCookies', $params);
return;
case 'setCookies':
// Check that memcached is validated, and set cookies
// Do not cache this, we need to reset the cookies and memc every time.
$this->getOutput()->enableClientCache(false);
if (!$this->checkIsLocalWiki()) {
return;
}
CentralAuthUser::setP3P();
// Check saved memc token
$token = $this->getRequest()->getSessionData('centralautologin-token');
if ($token === null) {
$this->doFinalOutput(false, 'Lost session');
return;
}
// Load memc data
$wikiid = wfWikiID();
$key = CentralAuthUser::memcKey('centralautologin-token', $token, $wikiid);
$memcData = $wgMemc->get($key);
$wgMemc->delete($key);
// Check memc data
if (!$memcData || $memcData['wikiid'] !== $wikiid || !isset($memcData['userName']) || !isset($memcData['token'])) {
$this->doFinalOutput(false, 'Lost session');
return;
}
// Load and check CentralAuthUser. But don't check if it's
// attached, because then if the user is missing en.site they
// won't be auto logged in to any of the non-en versions either.
$centralUser = new CentralAuthUser($memcData['userName']);
if (!$centralUser->getId() || $centralUser->getId() != $memcData['gu_id']) {
$msg = "Wrong user: expected {$memcData['gu_id']}, got {$centralUser->getId()}";
wfDebug(__METHOD__ . ": {$msg}\n");
$this->doFinalOutput(false, 'Lost session');
return;
}
$loginResult = $centralUser->authenticateWithToken($memcData['token']);
if ($loginResult != 'ok') {
$msg = "Bad token: {$loginResult}";
wfDebug(__METHOD__ . ": {$msg}\n");
$this->doFinalOutput(false, 'Lost session');
return;
}
// Set a new session cookie, Just In Case™
wfResetSessionID();
// Set central cookies too, with a refreshed sessionid. Also, check if we
// need to override the default cookie security policy
$secureCookie = $memcData['secureCookies'];
$centralUser->setGlobalCookies($memcData['remember'], $memcData['sessionId'], $secureCookie, array('finalProto' => $memcData['finalProto'], 'secureCookies' => $memcData['secureCookies'], 'remember' => $memcData['remember']));
// Now, figure out how to report this back to the user.
// First, set to redo the edge login on the next pageview
$request->setSessionData('CentralAuthDoEdgeLogin', true);
// If it's not a script callback, just go for it.
if ($request->getVal('type') !== 'script') {
$this->doFinalOutput(true, 'success');
return;
}
// If it is a script callback, then we do want to create the user
// if it doesn't already exist locally (and fail if that can't be
// done).
if (!User::idFromName($centralUser->getName())) {
$user = new User();
$user->setName($centralUser->getName());
if (CentralAuthHooks::attemptAddUser($user)) {
$centralUser->invalidateCache();
}
}
if (!$centralUser->isAttached()) {
$this->doFinalOutput(false, 'Local user is not attached', self::getInlineScript('anon-set.js'));
return;
}
$script = self::getInlineScript('anon-remove.js');
// If we're returning to returnto, do that
if ($request->getCheck('return')) {
global $wgRedirectOnLogin;
if ($wgRedirectOnLogin !== null) {
$returnTo = $wgRedirectOnLogin;
$returnToQuery = array();
} else {
$returnTo = $request->getVal('returnto', '');
$returnToQuery = wfCgiToArray($request->getVal('returntoquery', ''));
}
$returnToTitle = Title::newFromText($returnTo);
if (!$returnToTitle) {
$returnToTitle = Title::newMainPage();
$returnToQuery = array();
}
$redirectUrl = $returnToTitle->getFullURL($returnToQuery);
$script .= "\n" . 'location.href = ' . Xml::encodeJsVar($redirectUrl) . ';';
$this->doFinalOutput(true, 'success', $script);
return;
}
// Otherwise, we need to rewrite p-personal and maybe notify the user too
global $wgCentralAuthUseEventLogging;
if ($wgCentralAuthUseEventLogging) {
EventLogging::logEvent('CentralAuth', 5690875, array('version' => 1, 'userId' => $centralUser->getId(), 'action' => 'sul2-autologin-fallbacklogin'));
}
// Add a script to the page that will pull in the user's toolslist
// via ajax, and update the UI. Don't write out the tools here (bug 57081).
$code = $this->getUser()->getOption('language');
$code = RequestContext::sanitizeLangCode($code);
Hooks::run('UserGetLanguageObject', array($this->getUser(), &$code, $this->getContext()));
$script .= "\n" . Xml::encodeJsCall('mediaWiki.messages.set', array(array('centralauth-centralautologin-logged-in' => wfMessage('centralauth-centralautologin-logged-in')->inLanguage($code)->plain(), 'centralauth-centralautologin-logged-in-nouser' => wfMessage('centralauth-centralautologin-logged-in-nouser')->inLanguage($code)->plain(), 'centralautologin' => wfMessage('centralautologin')->inLanguage($code)->plain())));
$script .= "\n" . self::getInlineScript('autologin.js');
// And for good measure, add the edge login HTML images to the page.
$script .= "\n" . Xml::encodeJsCall("jQuery( 'body' ).append", array(CentralAuthHooks::getEdgeLoginHTML()));
$this->doFinalOutput(true, 'success', $script);
return;
default:
$this->setHeaders();
$this->getOutput()->addWikiMsg('centralauth-centralautologin-desc');
return;
}
}
function __construct()
{
SpecialPage::__construct('GlobalGroupMembership');
$this->mGlobalUser = CentralAuthUser::getInstance($this->getUser());
}
protected function doResolveRequest($approved, $data)
{
$request = GlobalRenameRequest::newFromId($data['rid']);
$oldUser = User::newFromName($request->getName());
if ($request->userIsGlobal() || $request->getWiki() === wfWikiId()) {
$notifyEmail = MailAddress::newFromUser($oldUser);
} else {
$notifyEmail = $this->getRemoteUserMailAddress($request->getWiki(), $request->getName());
}
$newUser = User::newFromName($request->getNewName(), 'creatable');
$status = new Status();
$session = $this->getContext()->exportSession();
if ($approved) {
if ($request->userIsGlobal()) {
// Trigger a global rename job
$globalRenameUser = new GlobalRenameUser($this->getUser(), $oldUser, CentralAuthUser::getInstance($oldUser), $newUser, CentralAuthUser::getInstance($newUser), new GlobalRenameUserStatus($newUser->getName()), 'JobQueueGroup::singleton', new GlobalRenameUserDatabaseUpdates(), new GlobalRenameUserLogger($this->getUser()), $session);
$status = $globalRenameUser->rename($data);
} else {
// If the user is local-only:
// * rename the local user using LocalRenameUserJob
// * create a global user attached only to the local wiki
$job = new LocalRenameUserJob(Title::newFromText('Global rename job'), array('from' => $oldUser->getName(), 'to' => $newUser->getName(), 'renamer' => $this->getUser()->getName(), 'movepages' => true, 'suppressredirects' => true, 'promotetoglobal' => true, 'reason' => $data['reason'], 'session' => $session));
JobQueueGroup::singleton($request->getWiki())->push($job);
// Now log it
$this->logPromotionRename($oldUser->getName(), $request->getWiki(), $newUser->getName(), $data['reason']);
$status = Status::newGood();
}
}
if ($status->isGood()) {
$request->setStatus($approved ? GlobalRenameRequest::APPROVED : GlobalRenameRequest::REJECTED);
$request->setCompleted(wfTimestampNow());
$request->setPerformer(CentralAuthUser::getInstance($this->getUser())->getId());
$request->setComments($data['comments']);
if ($request->save()) {
// Send email to the user about the change in status.
if ($approved) {
$subject = $this->msg('globalrenamequeue-email-subject-approved')->inContentLanguage()->text();
$body = $this->msg('globalrenamequeue-email-body-approved', array($oldUser->getName(), $newUser->getName()))->inContentLanguage()->text();
} else {
$subject = $this->msg('globalrenamequeue-email-subject-rejected')->inContentLanguage()->text();
$body = $this->msg('globalrenamequeue-email-body-rejected', array($oldUser->getName(), $newUser->getName(), $request->getComments()))->inContentLanguage()->text();
}
if ($notifyEmail !== null && $notifyEmail->address) {
$type = $approved ? 'approval' : 'rejection';
wfDebugLog('CentralAuthRename', "Sending {$type} email to User:{$oldUser->getName()}/{$notifyEmail->address}");
$this->sendNotificationEmail($notifyEmail, $subject, $body);
}
} else {
$status->fatal('globalrenamequeue-request-savefailed');
}
}
return $status;
}
/**
* @param array $data
* @return Status
*/
function onSubmit(array $data)
{
if ($data['overrideantispoof']) {
$this->overrideAntiSpoof = true;
}
$valid = $this->validate($data);
if (!$valid->isOK()) {
return $valid;
}
$this->newUsername = $data['newname'];
$this->oldUsername = $data['oldname'];
$oldUser = User::newFromName($this->oldUsername);
$newUser = User::newFromName($this->newUsername, 'creatable');
$session = $this->getContext()->exportSession();
$globalRenameUser = new GlobalRenameUser($this->getUser(), $oldUser, CentralAuthUser::getInstance($oldUser), $newUser, CentralAuthUser::getInstance($newUser), new GlobalRenameUserStatus($newUser->getName()), 'JobQueueGroup::singleton', new GlobalRenameUserDatabaseUpdates(), new GlobalRenameUserLogger($this->getUser()), $session);
return $globalRenameUser->rename($data);
}
/**
* @param array $data
* @return Status
*/
public function onSubmit(array $data)
{
$newUser = User::newFromName($data['finaluser'], 'creatable');
if (!$newUser) {
return Status::newFatal('centralauth-usermerge-invalid');
}
if (!$this->checkRateLimit()) {
return Status::newFatal('centralauth-usermerge-ratelimited');
}
foreach ($data['usernames'] as $field) {
if (trim($field['name']) !== '') {
$name = User::getCanonicalName($field['name']);
if ($name === $newUser->getName()) {
// The new user is also specified as one of the targets,
// DWIM and ignore it
continue;
}
$this->oldCAUsers[] = new CentralAuthUser($name);
}
}
if (!$this->oldCAUsers) {
return $this->msg('centralauth-usermerge-nousers')->escaped();
}
if (count($this->oldCAUsers) > self::MAX_USERS_TO_MERGE) {
return Status::newFatal($this->msg('centralauth-usermerge-toomany')->numParams(self::MAX_USERS_TO_MERGE));
}
$this->newUsername = $newUser->getName();
$globalUserMerge = new GlobalUserMerge($this->getUser(), $this->oldCAUsers, CentralAuthUser::getInstance($newUser), new GlobalRenameUserStatus($newUser->getName()), 'JobQueueGroup::singleton', new GlobalUserMergeDatabaseUpdates(), new GlobalUserMergeLogger($this->getUser()), $this->getContext()->exportSession());
$status = $globalUserMerge->merge($data['reason']);
return $status;
}
/**
* Is the current user a global user?
* @return bool
*/
protected function isGlobalUser()
{
$user = $this->getUser();
$causer = CentralAuthUser::getInstance($user);
return $causer->exists() && $causer->isAttached();
}
/**
* @param User $user
* @return CentralAuthUser
*/
public function getUserInstance(User &$user)
{
return CentralAuthUser::getInstance($user);
}
/**
* Hook for UserMerge extension after an account is deleted
* @param User &$user account that was just deleted
* @return bool
*/
public static function onDeleteAccount(User &$user)
{
$caUser = CentralAuthUser::getInstance($user);
if ($caUser->isAttached()) {
// Clean up localuser table.
$caUser->adminUnattach(array(wfWikiID()));
}
// Clean up localnames table.
$caUser->removeLocalName(wfWikiID());
return true;
}
function resendConfirmationEmail($username)
{
$wikiID = wfWikiID();
$this->total++;
$this->output("Sending confirmation email for: '{$username}@{$wikiID}'\n");
// we want to start with the local user
$user = EmailableUser::newFromName($username);
if ($user === false) {
$this->output("ERROR: {$username} is an invalid username\n");
return;
}
$user->load();
if (!$this->sendToConfirmed && $user->isEmailConfirmed()) {
$this->output("ERROR: The user '{$username}@{$wikiID}' already has a confirmed email address\n");
return;
}
$central = CentralAuthUser::getInstance($user);
if (!$central->exists()) {
$this->output("ERROR: No global account for '{$username}'\n");
return;
}
if (!$central->isAttached()) {
$this->output("ERROR: '{$username}@{$wikiID}' is not attached to the global user\n");
return;
}
$unattached = $central->queryUnattached();
if (count($unattached) == 0) {
$this->output("ERROR: No unattached accounts for '{$username}'\n");
return;
}
if ($this->dryrun) {
$this->output("Would have sent email\n");
return;
}
if ($user->sendConfirmAndMigrateMail()) {
$this->output("Sent email to {$username}\n");
$this->sent++;
sleep($this->sleep);
} else {
$this->output("ERROR: Sending confirm and migrate email failed for '{$username}@{$wikiID}'\n");
}
}
default:
$bit = '???';
}
$logger = LoggerFactory::getInstance('badpass');
$logger->info("{$bit} for sysop '" . $user->getName() . "' from " . $wgRequest->getIP() . " - " . @$headers['X-Forwarded-For'] . ' - ' . @$headers['User-Agent']);
}
return true;
};
// Estimate users affected if we increase the minimum
// password length to 8 for privileged groups, i.e.
// T104370, T104371, T104372, T104373
$wgHooks['LoginAuthenticateAudit'][] = function ($user, $pass, $retval) {
global $wmgUseCentralAuth;
if ($retval == LoginForm::SUCCESS && strlen($pass) < 8) {
if ($wmgUseCentralAuth) {
$central = CentralAuthUser::getInstance($user);
if ($central->exists() && array_intersect(array('staff', 'sysadmin', 'steward', 'ombudsman', 'checkuser'), array_merge($central->getLocalGroups(), $central->getGlobalGroups()))) {
$logger = LoggerFactory::getInstance('badpass');
$logger->info("Login by privileged user '{$user->getName()}' with too short password");
}
}
}
return true;
};
$wgHooks['PrefsEmailAudit'][] = function ($user, $old, $new) {
if ($user->isAllowed('delete')) {
global $wgRequest;
$headers = apache_request_headers();
$logger = LoggerFactory::getInstance('badpass');
$logger->info("Email changed in prefs for sysop '" . $user->getName() . "' from '{$old}' to '{$new}'" . " - " . $wgRequest->getIP() . " - " . @$headers['X-Forwarded-For'] . ' - ' . @$headers['User-Agent']);
}
/**
* @param $auth
* @param $user User
* @param $params
* @return bool
*/
static function onSecurePoll_GetUserParams($auth, $user, &$params)
{
if ($user->isAnon()) {
return true;
}
$centralUser = CentralAuthUser::getInstance($user);
if (!($centralUser->exists() && $centralUser->isAttached())) {
return true;
}
$wikiID = $centralUser->getHomeWiki();
if (strval($wikiID) === '') {
return true;
}
$wiki = WikiMap::getWiki($wikiID);
$wikiUrl = $wiki->getUrl('');
$parts = explode('/', $wikiUrl);
if (isset($parts[2])) {
$params['properties']['ca-local-domain'] = $params['domain'];
$params['domain'] = $parts[2];
}
$params['properties']['ca-local-url'] = $params['url'];
$params['url'] = $wiki->getUrl('User:' . $user->getTitleKey());
return true;
}
