r26013 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r26012‎ \| r26013 \| r26014 >
Date:	21:00, 21 September 2007
Author:	laner
Status:	old
Tags:
Comment:	* Fixed compatability with php4 (MediaWiki 1.6) - Patch from Bill Allison * Only call getAllGroups() if $wgLDAPGroupsPrevail is enabled * Added option $wgLDAPLocallyManagedGroups, to specify which groups won't have members automatically removed ** The sysop, bureaucrat, and bot groups are always considered locally managed * Fixed security issue where users weren't removed from groups when the LDAP group was deleted
Modified paths:	/trunk/extensions/LdapAuthentication/LdapAuthentication.php (modified) (history)

Diff [purge]

Index: trunk/extensions/LdapAuthentication/LdapAuthentication.php
—	—	@@ -43,17 +43,17 @@
44	44
45	45	require_once( 'AuthPlugin.php' );
46	46
47		~~-class LdapAuthenticationPlugin extends AuthPlugin {~~
	47	+//constants for search base
	48	+define("GROUPDN", 0);
	49	+define("USERDN", 1);
	50	+define("DEFAULTDN", 2);
48	51
49		~~- //constants for search base~~
50		~~- const GROUPDN = 0;~~
51		~~- const USERDN = 1;~~
52		~~- const DEFAULTDN = 2;~~
	52	+//constants for error reporting
	53	+define("NONSENSITIVE", 1);
	54	+define("SENSITIVE", 2);
	55	+define("HIGHLYSENSITIVE", 3);
53	56
54		~~- //constants for error reporting~~
55		~~- const NONSENSITIVE = 1;~~
56		~~- const SENSITIVE = 2;~~
57		~~- const HIGHLYSENSITIVE = 3;~~
	57	+class LdapAuthenticationPlugin extends AuthPlugin {
58	58
59	59	//preferences
60	60	var $email, $lang, $realname, $nickname, $externalid;
—	—	@@ -65,6 +65,9 @@
66	66	var $userLDAPGroups, $foundUserLDAPGroups;
67	67	var $allLDAPGroups;
68	68
	69	+ //boolean to test for failed auth
	70	+ var $authFailed;
	71	+
69	72	function LdapAuthenticationPlugin() {
70	73	}
71	74
—	—	@@ -81,7 +84,7 @@
82	85	function userExists( $username ) {
83	86	global $wgLDAPAddLDAPUsers;
84	87
85		~~- $this->printDebug( "Entering userExists", self::NONSENSITIVE );~~
	88	+ $this->printDebug( "Entering userExists", NONSENSITIVE );
86	89
87	90	//If we can't add LDAP users, we don't really need to check
88	91	//if the user exists, the authenticate method will do this for
—	—	@@ -93,7 +96,7 @@
94	97
95	98	$ldapconn = $this->connect();
96	99	if ( $ldapconn ) {
97		~~- $this->printDebug( "Successfully connected", self::NONSENSITIVE );~~
	100	+ $this->printDebug( "Successfully connected", NONSENSITIVE );
98	101
99	102	$searchstring = $this->getSearchString( $ldapconn, $username );
100	103
—	—	@@ -113,14 +116,14 @@
114	117	//Let's clean up
115	118	@ldap_unbind();
116	119	if ( !$entry ) {
117		~~- $this->printDebug( "Did not find a matching user in LDAP", self::NONSENSITIVE );~~
	120	+ $this->printDebug( "Did not find a matching user in LDAP", NONSENSITIVE );
118	121	return false;
119	122	} else {
120		~~- $this->printDebug( "Found a matching user in LDAP", self::NONSENSITIVE );~~
	123	+ $this->printDebug( "Found a matching user in LDAP", NONSENSITIVE );
121	124	return true;
122	125	}
123	126	} else {
124		~~- $this->printDebug( "Failed to connect", self::NONSENSITIVE );~~
	127	+ $this->printDebug( "Failed to connect", NONSENSITIVE );
125	128	return false;
126	129	}
127	130
—	—	@@ -137,11 +140,10 @@
138	141	global $wgLDAPEncryptionType;
139	142	global $wgLDAPOptions;
140	143
141		~~- $this->printDebug( "Entering Connect", self::NONSENSITIVE );~~
	144	+ $this->printDebug( "Entering Connect", NONSENSITIVE );
142	145
143	146	if ( !extension_loaded( 'ldap' ) ) {
144		~~- $this->printDebug( "Missing LDAP support; please ensure you have either compiled LDAP support in, or have enabled the module.", self::SENSITIVE );~~
145		~~- return;~~
	147	+ $this->printDebug( "It looks like you are issing LDAP support; please ensure you have either compiled LDAP support in, or have enabled the module. If the authentication is working for you, the plugin isn't properly detecting the LDAP module, and you can safely ignore this message.", NONSENSITIVE );
146	148	}
147	149
148	150	//If the admin didn't set an encryption type, we default to tls
—	—	@@ -154,11 +156,11 @@
155	157	//Set the server string depending on whether we use ssl or not
156	158	switch( $encryptionType ) {
157	159	case "ssl":
158		~~- $this->printDebug( "Using SSL", self::SENSITIVE );~~
	160	+ $this->printDebug( "Using SSL", SENSITIVE );
159	161	$serverpre = "ldaps://";
160	162	break;
161	163	default:
162		~~- $this->printDebug( "Using TLS or not using encryption.", self::SENSITIVE );~~
	164	+ $this->printDebug( "Using TLS or not using encryption.", SENSITIVE );
163	165	$serverpre = "ldap://";
164	166	}
165	167
—	—	@@ -173,7 +175,7 @@
174	176	}
175	177	$servers = rtrim($servers);
176	178
177		~~- $this->printDebug( "Using servers: $servers", self::SENSITIVE );~~
	179	+ $this->printDebug( "Using servers: $servers", SENSITIVE );
178	180
179	181	//Connect and set options
180	182	$ldapconn = @ldap_connect( $servers );
—	—	@@ -191,9 +193,9 @@
192	194
193	195	//TLS needs to be started after the connection is made
194	196	if ( $encryptionType == "tls" ) {
195		~~- $this->printDebug( "Using TLS", self::SENSITIVE );~~
	197	+ $this->printDebug( "Using TLS", SENSITIVE );
196	198	if ( !ldap_start_tls( $ldapconn ) ) {
197		~~- $this->printDebug( "Failed to start TLS.", self::SENSITIVE );~~
	199	+ $this->printDebug( "Failed to start TLS.", SENSITIVE );
198	200	return;
199	201	}
200	202	}
—	—	@@ -223,12 +225,14 @@
224	226	global $wgLDAPLowerCaseUsername;
225	227	global $wgLDAPSearchStrings;
226	228	global $wgLDAPUniqueAttribute, $wgLDAPUniqueBlockLogin, $wgLDAPUniqueRenameUser;
	229	+ global $wgLDAPGroupsPrevail;
227	230
228		~~- $this->printDebug( "Entering authenticate", self::NONSENSITIVE );~~
	231	+ $this->printDebug( "Entering authenticate", NONSENSITIVE );
229	232
230	233	//We don't handle local authentication
231	234	if ( 'local' == $_SESSION['wsDomain'] ) {
232		~~- $this->printDebug( "User is using a local domain", self::SENSITIVE );~~
	235	+ $this->printDebug( "User is using a local domain", SENSITIVE );
	236	+ $this->cleanupFailedAuth();
233	237	return false;
234	238	}
235	239
—	—	@@ -236,7 +240,8 @@
237	241	//that he/she isn't trying to fool us by sending a username other
238	242	//than the one the web server got from the smartcard.
239	243	if ( $this->useSmartcardAuth() && $wgLDAPSSLUsername != $username ) {
240		- $this->printDebug( "The username provided doesn't match the username on the smartcard. The user is probably trying to log in to the smartcard domain with password authentication. Denying access.", self::SENSITIVE );
	244	+ $this->printDebug( "The username provided doesn't match the username on the smartcard. The user is probably trying to log in to the smartcard domain with password authentication. Denying access.", SENSITIVE );
	245	+ $this->cleanupFailedAuth();
241	246	return false;
242	247	}
243	248
—	—	@@ -246,20 +251,21 @@
247	252	//Smartcard authentication uses a pin, and does not require
248	253	//a password to be given; a blank password here is wanted.
249	254	if ( '' == $password && !$this->useSmartcardAuth() ) {
250		~~- $this->printDebug( "User used a blank password", self::NONSENSITIVE );~~
	255	+ $this->printDebug( "User used a blank password", NONSENSITIVE );
	256	+ $this->cleanupFailedAuth();
251	257	return false;
252	258	}
253	259
254	260	$ldapconn = $this->connect();
255	261	if ( $ldapconn ) {
256		~~- $this->printDebug( "Connected successfully", self::NONSENSITIVE );~~
	262	+ $this->printDebug( "Connected successfully", NONSENSITIVE );
257	263
258	264	//Mediawiki munges the username before authenticate is called,
259	265	//this can mess with authentication, group pulling/restriction,
260	266	//preference pulling, etc. Let's allow the admin to use
261	267	//a lowercased username if needed.
262	268	if ( isset( $wgLDAPLowerCaseUsername[$_SESSION['wsDomain']] ) && $wgLDAPLowerCaseUsername[$_SESSION['wsDomain']] ) {
263		~~- $this->printDebug( "Lowercasing the username: $username", self::NONSENSITIVE );~~
	269	+ $this->printDebug( "Lowercasing the username: $username", NONSENSITIVE );
264	270	$username = strtolower( $username );
265	271	}
266	272
—	—	@@ -269,25 +275,27 @@
270	276	//empty string; if this happens, the bind will ALWAYS
271	277	//return true, and will let anyone in!
272	278	if ( '' == $userdn ) {
273		~~- $this->printDebug( "User DN is blank", self::NONSENSITIVE );~~
	279	+ $this->printDebug( "User DN is blank", NONSENSITIVE );
274	280	// Lets clean up.
275	281	@ldap_unbind();
	282	+ $this->cleanupFailedAuth();
276	283	return false;
277	284	}
278	285
279	286	//If we are using password authentication, we need to bind as the
280	287	//user to make sure the password is correct.
281	288	if ( !$this->useSmartcardAuth() ) {
282		~~- $this->printDebug( "Binding as the user", self::NONSENSITIVE );~~
	289	+ $this->printDebug( "Binding as the user", NONSENSITIVE );
283	290
284	291	//Let's see if the user can authenticate.
285	292	$bind = $this->bindAs( $ldapconn, $userdn, $password );
286	293	if ( !$bind ) {
287	294	// Lets clean up.
288	295	@ldap_unbind();
	296	+ $this->cleanupFailedAuth();
289	297	return false;
290	298	}
291		~~- $this->printDebug( "Bound successfully", self::NONSENSITIVE );~~
	299	+ $this->printDebug( "Bound successfully", NONSENSITIVE );
292	300
293	301	if ( isset( $wgLDAPSearchStrings[$_SESSION['wsDomain']] ) ) {
294	302	$ss = $wgLDAPSearchStrings[$_SESSION['wsDomain']];
—	—	@@ -296,14 +304,14 @@
297	305	//DOMAIN\\USER-NAME.
298	306	//Get the user's full DN so we can search for groups and such.
299	307	$userdn = $this->getUserDN( $ldapconn, $username );
300		~~- $this->printDebug( "Pulled the user's DN: $userdn", self::NONSENSITIVE );~~
	308	+ $this->printDebug( "Pulled the user's DN: $userdn", NONSENSITIVE );
301	309	}
302	310	}
303	311
304	312	if ( ( isset( $wgLDAPRequireAuthAttribute[$_SESSION['wsDomain']] )
305	313	&& $wgLDAPRequireAuthAttribute[$_SESSION['wsDomain']] ) ) {
306	314
307		~~- $this->printDebug( "Checking for auth attributes", self::NONSENSITIVE );~~
	315	+ $this->printDebug( "Checking for auth attributes", NONSENSITIVE );
308	316
309	317	$filter = "(" . $wgLDAPAuthAttribute[$_SESSION['wsDomain']] . ")";
310	318	$attributes = array( "dn" );
—	—	@@ -312,9 +320,10 @@
313	321	$info = ldap_get_entries( $ldapconn, $entry );
314	322
315	323	if ( $info["count"] < 1 ) {
316		~~- $this->printDebug( "Failed auth attribute check", self::NONSENSITIVE );~~
	324	+ $this->printDebug( "Failed auth attribute check", NONSENSITIVE );
317	325	// Lets clean up.
318	326	@ldap_unbind();
	327	+ $this->cleanupFailedAuth();
319	328	return false;
320	329	}
321	330	}
—	—	@@ -323,20 +332,21 @@
324	333	//Old style groups, non-nestable and fairly limited on group type (full DN
325	334	//versus username). DEPRECATED
326	335	if ( $wgLDAPGroupDN ) {
327		~~- $this->printDebug( "Checking for (old style) group membership", self::NONSENSITIVE );~~
	336	+ $this->printDebug( "Checking for (old style) group membership", NONSENSITIVE );
328	337	if ( !$this->isMemberOfLdapGroup( $ldapconn, $userdn, $wgLDAPGroupDN ) ) {
329		~~- $this->printDebug( "Failed (old style) group membership check", self::NONSENSITIVE );~~
	338	+ $this->printDebug( "Failed (old style) group membership check", NONSENSITIVE );
330	339
331	340	//No point in going on if the user isn't in the required group
332	341	// Lets clean up.
333	342	@ldap_unbind();
	343	+ $this->cleanupFailedAuth();
334	344	return false;
335	345	}
336	346	}
337	347
338	348	//New style group checking
339	349	if ( isset( $wgLDAPRequiredGroups[$_SESSION['wsDomain']] ) ) {
340		~~- $this->printDebug( "Checking for (new style) group membership", self::NONSENSITIVE );~~
	350	+ $this->printDebug( "Checking for (new style) group membership", NONSENSITIVE );
341	351
342	352	if ( isset( $wgLDAPGroupUseFullDN[$_SESSION['wsDomain']] ) && $wgLDAPGroupUseFullDN[$_SESSION['wsDomain']] ) {
343	353	$inGroup = $this->isMemberOfRequiredLdapGroup( $ldapconn, $userdn );
—	—	@@ -345,7 +355,7 @@
346	356	&& $wgLDAPGroupUseRetrievedUsername[$_SESSION['wsDomain']] )
347	357	&& $this->LDAPUsername != '' ) {
348	358
349		~~- $this->printDebug( "Using the username retrieved from the user's entry.", self::NONSENSITIVE );~~
	359	+ $this->printDebug( "Using the username retrieved from the user's entry.", NONSENSITIVE );
350	360	$inGroup = $this->isMemberOfRequiredLdapGroup( $ldapconn, $this->LDAPUsername );
351	361	} else {
352	362	$inGroup = $this->isMemberOfRequiredLdapGroup( $ldapconn, $username );
—	—	@@ -355,6 +365,7 @@
356	366	if ( !$inGroup ) {
357	367	// Lets clean up.
358	368	@ldap_unbind();
	369	+ $this->cleanupFailedAuth();
359	370	return false;
360	371	}
361	372
—	—	@@ -362,7 +373,7 @@
363	374
364	375	//Synch LDAP groups with MediaWiki groups
365	376	if ( isset( $wgLDAPUseLDAPGroups[$_SESSION['wsDomain']] ) && $wgLDAPUseLDAPGroups[$_SESSION['wsDomain']] ) {
366		~~- $this->printDebug( "Retrieving LDAP group membership", self::NONSENSITIVE );~~
	377	+ $this->printDebug( "Retrieving LDAP group membership", NONSENSITIVE );
367	378
368	379	//Let's get the user's LDAP groups
369	380	if ( isset( $wgLDAPGroupUseFullDN[$_SESSION['wsDomain']] ) && $wgLDAPGroupUseFullDN[$_SESSION['wsDomain']] ) {
—	—	@@ -379,14 +390,14 @@
380	391
381	392	//Only find all groups if the user has any groups; otherwise, we are
382	393	//just wasting a search.
383		~~- if ( $this->foundUserLDAPGroups ) {~~
	394	+ if ( $this->foundUserLDAPGroups && ( isset( $wgLDAPGroupsPrevail[$_SESSION['wsDomain']] ) && $wgLDAPGroupsPrevail[$_SESSION['wsDomain']] ) ) {
384	395	$this->allLDAPGroups = $this->getAllGroups( $ldapconn, true );
385	396	}
386	397	}
387	398
388	399	//Retrieve preferences
389	400	if ( isset( $wgLDAPRetrievePrefs[$_SESSION['wsDomain']] ) && $wgLDAPRetrievePrefs[$_SESSION['wsDomain']] ) {
390		~~- $this->printDebug( "Retrieving preferences", self::NONSENSITIVE );~~
	401	+ $this->printDebug( "Retrieving preferences", NONSENSITIVE );
391	402
392	403	$entry = @ldap_read( $ldapconn, $userdn, "objectclass=*" );
393	404	$info = @ldap_get_entries( $ldapconn, $entry );
—	—	@@ -403,7 +414,7 @@
404	415	$this->realname = $info[0]["cn"][0];
405	416	}
406	417
407		~~- $this->printDebug( "Retrieved: $this->email, $this->lang, $this->nickname, $this->realname", self::SENSITIVE );~~
	418	+ $this->printDebug( "Retrieved: $this->email, $this->lang, $this->nickname, $this->realname", SENSITIVE );
408	419	}
409	420
410	421	// Are we blocking login/renaming users on unique external ID mismatches?
—	—	@@ -416,7 +427,7 @@
417	428	if ( ( isset( $wgLDAPUniqueBlockLogin[$_SESSION['wsDomain']] ) && $wgLDAPUniqueBlockLogin[$_SESSION['wsDomain']] )
418	429	\|\| ( isset( $wgLDAPUniqueRenameUser[$_SESSION['wsDomain']] ) && $wgLDAPUniqueRenameUser[$_SESSION['wsDomain']] ) ) {
419	430
420		~~- $this->printDebug( "Checking for username change in LDAP.", self::SENSITIVE );~~
	431	+ $this->printDebug( "Checking for username change in LDAP.", SENSITIVE );
421	432
422	433	//Get the user's unique attribute from LDAP
423	434	if ( isset( $wgLDAPUniqueAttribute[$_SESSION['wsDomain']] ) ) {
—	—	@@ -424,26 +435,27 @@
425	436	$this->externalid = $info[0][$ldapuniqueattr][0];
426	437	}
427	438
428		~~- $this->printDebug( "Retrieved external id: $this->externalid", self::SENSITIVE );~~
	439	+ $this->printDebug( "Retrieved external id: $this->externalid", SENSITIVE );
429	440
430	441	$retrievedusername = User::whoIsExternalID( "$this->externalid" );
431	442
432		~~- $this->printDebug( "Username (in MediaWiki database) of fetched external id: $retrievedusername", self::SENSITIVE );~~
	443	+ $this->printDebug( "Username (in MediaWiki database) of fetched external id: $retrievedusername", SENSITIVE );
433	444
434	445	// See if the username returned from the database matches the username given
435	446	if ( $retrievedusername != '' && ( $username != $retrievedusername ) ) {
436	447	if ( isset( $wgLDAPUniqueBlockLogin[$_SESSION['wsDomain']] )
437	448	&& $wgLDAPUniqueBlockLogin[$_SESSION['wsDomain']] ) {
438	449
439		~~- $this->printDebug( "Usernames do not match, blocking login.", self::SENSITIVE );~~
	450	+ $this->printDebug( "Usernames do not match, blocking login.", SENSITIVE );
440	451	return false;
441	452	} else if ( isset( $wgLDAPUniqueRenameUser[$_SESSION['wsDomain']] )
442	453	&& $wgLDAPUniqueRenameUser[$_SESSION['wsDomain']] ) {
443	454
444		~~- $this->printDebug( "Usernames do not match, renaming user in database.", self::SENSITIVE );~~
	455	+ $this->printDebug( "Usernames do not match, renaming user in database.", SENSITIVE );
445	456
446	457	if ( version_compare( $wgVersion, '1.7.0', '<' ) ) {
447		~~- $this->printDebug( "Renaming users is only supported in MediaWiki 1.7+, please upgrade.", self::SENSITIVE );~~
	458	+ $this->printDebug( "Renaming users is only supported in MediaWiki 1.7+, please upgrade.", SENSITIVE );
	459	+ $this->cleanupFailedAuth();
448	460	return false;
449	461	}
450	462
—	—	@@ -463,25 +475,31 @@
464	476	// as MediaWiki will try to create the user account after we
465	477	// do a rename. If we don't return false, the user will get
466	478	// a database error
	479	+ $this->cleanupFailedAuth();
467	480	return false;
468	481	}
469	482	}
470	483
471		~~- $this->printDebug( "Usernames matched or the user doesn't exist in the database yet.", self::SENSITIVE );~~
	484	+ $this->printDebug( "Usernames matched or the user doesn't exist in the database yet.", SENSITIVE );
472	485	}
473	486
474	487	// Lets clean up.
475	488	@ldap_unbind();
476	489	} else {
477		~~- $this->printDebug( "Failed to connect", self::NONSENSITIVE );~~
	490	+ $this->printDebug( "Failed to connect", NONSENSITIVE );
	491	+ $this->cleanupFailedAuth();
478	492	return false;
479	493	}
480		~~- $this->printDebug( "Authentication passed", self::NONSENSITIVE );~~
	494	+ $this->printDebug( "Authentication passed", NONSENSITIVE );
481	495
482	496	//We made it this far; the user authenticated and didn't fail any checks, so he/she gets in.
483	497	return true;
484	498	}
485	499
	500	+ function cleanupFailedAuth() {
	501	+ $this->authFailed = true;
	502	+ }
	503	+
486	504	/**
487	505	* Modify options in the login template.
488	506	*
—	—	@@ -493,7 +511,7 @@
494	512	global $wgLDAPAddLDAPUsers;
495	513	global $wgLDAPUseSmartcardAuth, $wgLDAPSmartcardDomain;
496	514
497		~~- $this->printDebug( "Entering modifyUITemplate", self::NONSENSITIVE );~~
	515	+ $this->printDebug( "Entering modifyUITemplate", NONSENSITIVE );
498	516
499	517	if ( !isset( $wgLDAPAddLDAPUsers[$_SESSION['wsDomain']] ) \|\| !$wgLDAPAddLDAPUsers[$_SESSION['wsDomain']] ) {
500	518	$template->set( 'create', false );
—	—	@@ -504,12 +522,12 @@
505	523
506	524	$tempDomArr = $wgLDAPDomainNames;
507	525	if ( $wgLDAPUseLocal ) {
508		~~- $this->printDebug( "Allowing the local domain, adding it to the list.", self::NONSENSITIVE );~~
	526	+ $this->printDebug( "Allowing the local domain, adding it to the list.", NONSENSITIVE );
509	527	array_push( $tempDomArr, 'local' );
510	528	}
511	529
512	530	if ( $wgLDAPUseSmartcardAuth ) {
513		~~- $this->printDebug( "Allowing smartcard login, removing the domain from the list.", self::NONSENSITIVE );~~
	531	+ $this->printDebug( "Allowing smartcard login, removing the domain from the list.", NONSENSITIVE );
514	532
515	533	//There is no reason for people to log in directly to the wiki if the are using a
516	534	//smartcard. If they try to, they are probably up to something fishy.
—	—	@@ -551,23 +569,23 @@
552	570	function setPassword( $user, &$password ) {
553	571	global $wgLDAPUpdateLDAP, $wgLDAPWriterDN, $wgLDAPWriterPassword;
554	572
555		~~- $this->printDebug( "Entering setPassword", self::NONSENSITIVE );~~
	573	+ $this->printDebug( "Entering setPassword", NONSENSITIVE );
556	574
557	575	if ( $_SESSION['wsDomain'] == 'local' ) {
558		~~- $this->printDebug( "User is using a local domain", self::NONSENSITIVE );~~
	576	+ $this->printDebug( "User is using a local domain", NONSENSITIVE );
559	577
560	578	//We don't set local passwords, but we don't want the wiki
561	579	//to send the user a failure.
562	580	return true;
563	581	} else if ( !isset( $wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) \|\| !$wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) {
564		~~- $this->printDebug( "Wiki is set to not allow updates", self::NONSENSITIVE );~~
	582	+ $this->printDebug( "Wiki is set to not allow updates", NONSENSITIVE );
565	583
566	584	//We aren't allowing the user to change his/her own password
567	585	return false;
568	586	}
569	587
570	588	if ( !isset( $wgLDAPWriterDN[$_SESSION['wsDomain']] ) ) {
571		~~- $this->printDebug( "Wiki doesn't have wgLDAPWriterDN set", self::NONSENSITIVE );~~
	589	+ $this->printDebug( "Wiki doesn't have wgLDAPWriterDN set", NONSENSITIVE );
572	590
573	591	//We can't change a user's password without an account that is
574	592	//allowed to do it.
—	—	@@ -578,10 +596,10 @@
579	597
580	598	$ldapconn = $this->connect();
581	599	if ( $ldapconn ) {
582		~~- $this->printDebug( "Connected successfully", self::NONSENSITIVE );~~
	600	+ $this->printDebug( "Connected successfully", NONSENSITIVE );
583	601	$userdn = $this->getSearchString( $ldapconn, $user->getName() );
584	602
585		~~- $this->printDebug( "Binding as the writerDN", self::NONSENSITIVE );~~
	603	+ $this->printDebug( "Binding as the writerDN", NONSENSITIVE );
586	604	$bind = $this->bindAs( $ldapconn, $wgLDAPWriterDN[$_SESSION['wsDomain']], $wgLDAPWriterPassword[$_SESSION['wsDomain']] );
587	605	if ( !$bind ) {
588	606	return false;
—	—	@@ -598,14 +616,14 @@
599	617	//Let's clean up
600	618	@ldap_unbind();
601	619	if ( $success ) {
602		~~- $this->printDebug( "Successfully modified the user's password", self::NONSENSITIVE );~~
	620	+ $this->printDebug( "Successfully modified the user's password", NONSENSITIVE );
603	621	return true;
604	622	} else {
605		~~- $this->printDebug( "Failed to modify the user's password", self::NONSENSITIVE );~~
	623	+ $this->printDebug( "Failed to modify the user's password", NONSENSITIVE );
606	624	return false;
607	625	}
608	626	} else {
609		~~- $this->printDebug( "Failed to connect", self::NONSENSITIVE );~~
	627	+ $this->printDebug( "Failed to connect", NONSENSITIVE );
610	628	return false;
611	629	}
612	630	}
—	—	@@ -622,11 +640,11 @@
623	641	global $wgLDAPUpdateLDAP;
624	642	global $wgLDAPWriterDN, $wgLDAPWriterPassword;
625	643
626		~~- $this->printDebug( "Entering updateExternalDB", self::NONSENSITIVE );~~
	644	+ $this->printDebug( "Entering updateExternalDB", NONSENSITIVE );
627	645
628	646	if ( ( !isset( $wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) \|\| !$wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) \|\|
629	647	$_SESSION['wsDomain'] == 'local' ) {
630		~~- $this->printDebug( "Either the user is using a local domain, or the wiki isn't allowing updates", self::NONSENSITIVE );~~
	648	+ $this->printDebug( "Either the user is using a local domain, or the wiki isn't allowing updates", NONSENSITIVE );
631	649
632	650	//We don't handle local preferences, but we don't want the
633	651	//wiki to return an error.
—	—	@@ -634,7 +652,7 @@
635	653	}
636	654
637	655	if ( !isset( $wgLDAPWriterDN[$_SESSION['wsDomain']] ) ) {
638		~~- $this->printDebug( "The wiki doesn't have wgLDAPWriterDN set", self::NONSENSITIVE );~~
	656	+ $this->printDebug( "The wiki doesn't have wgLDAPWriterDN set", NONSENSITIVE );
639	657
640	658	//We can't modify LDAP preferences if we don't have a user
641	659	//capable of editing LDAP attributes.
—	—	@@ -648,10 +666,10 @@
649	667
650	668	$ldapconn = $this->connect();
651	669	if ( $ldapconn ) {
652		~~- $this->printDebug( "Connected successfully", self::NONSENSITIVE );~~
	670	+ $this->printDebug( "Connected successfully", NONSENSITIVE );
653	671	$userdn = $this->getSearchString( $ldapconn, $user->getName() );
654	672
655		~~- $this->printDebug( "Binding as the writerDN", self::NONSENSITIVE );~~
	673	+ $this->printDebug( "Binding as the writerDN", NONSENSITIVE );
656	674	$bind = $this->bindAs( $ldapconn, $wgLDAPWriterDN[$_SESSION['wsDomain']], $wgLDAPWriterPassword[$_SESSION['wsDomain']] );
657	675	if ( !$bind ) {
658	676	return false;
—	—	@@ -663,16 +681,16 @@
664	682	if ( '' != $this->language ) { $values["preferredlanguage"] = $this->language; }
665	683
666	684	if ( 0 != sizeof( $values ) && ldap_modify( $ldapconn, $userdn, $values ) ) {
667		~~- $this->printDebug( "Successfully modified the user's attributes", self::NONSENSITIVE );~~
	685	+ $this->printDebug( "Successfully modified the user's attributes", NONSENSITIVE );
668	686	@ldap_unbind();
669	687	return true;
670	688	} else {
671		~~- $this->printDebug( "Failed to modify the user's attributes", self::NONSENSITIVE );~~
	689	+ $this->printDebug( "Failed to modify the user's attributes", NONSENSITIVE );
672	690	@ldap_unbind();
673	691	return false;
674	692	}
675	693	} else {
676		~~- $this->printDebug( "Failed to Connect", self::NONSENSITIVE );~~
	694	+ $this->printDebug( "Failed to Connect", NONSENSITIVE );
677	695	return false;
678	696	}
679	697	}
—	—	@@ -740,18 +758,18 @@
741	759	global $wgLDAPRequiredGroups, $wgLDAPGroupDN;
742	760	global $wgLDAPRequireAuthAttribute, $wgLDAPAuthAttribute;
743	761
744		~~- $this->printDebug( "Entering addUser", self::NONSENSITIVE );~~
	762	+ $this->printDebug( "Entering addUser", NONSENSITIVE );
745	763
746	764	if ( ( !isset( $wgLDAPAddLDAPUsers[$_SESSION['wsDomain']] ) \|\| !$wgLDAPAddLDAPUsers[$_SESSION['wsDomain']] ) \|\|
747	765	'local' == $_SESSION['wsDomain'] ) {
748		~~- $this->printDebug( "Either the user is using a local domain, or the wiki isn't allowing users to be added to LDAP", self::NONSENSITIVE );~~
	766	+ $this->printDebug( "Either the user is using a local domain, or the wiki isn't allowing users to be added to LDAP", NONSENSITIVE );
749	767
750	768	//Tell the wiki not to return an error.
751	769	return true;
752	770	}
753	771
754	772	if ( $wgLDAPRequiredGroups \|\| $wgLDAPGroupDN ) {
755		~~- $this->printDebug( "The wiki is requiring users to be in specific groups, and cannot add users as this would be a security hole.", self::NONSENSITIVE );~~
	773	+ $this->printDebug( "The wiki is requiring users to be in specific groups, and cannot add users as this would be a security hole.", NONSENSITIVE );
756	774	//It is possible that later we can add users into
757	775	//groups, but since we don't support it, we don't want
758	776	//to open holes!
—	—	@@ -759,7 +777,7 @@
760	778	}
761	779
762	780	if ( !isset( $wgLDAPWriterDN[$_SESSION['wsDomain']] ) ) {
763		~~- $this->printDebug( "The wiki doesn't have wgLDAPWriterDN set", self::NONSENSITIVE );~~
	781	+ $this->printDebug( "The wiki doesn't have wgLDAPWriterDN set", NONSENSITIVE );
764	782
765	783	//We can't add users without an LDAP account capable of doing so.
766	784	return false;
—	—	@@ -773,28 +791,28 @@
774	792
775	793	$ldapconn = $this->connect();
776	794	if ( $ldapconn ) {
777		~~- $this->printDebug( "Successfully connected", self::NONSENSITIVE );~~
	795	+ $this->printDebug( "Successfully connected", NONSENSITIVE );
778	796
779	797	$userdn = $this->getSearchString( $ldapconn, $username );
780	798	if ( '' == $userdn ) {
781		~~- $this->printDebug( "userdn is blank, attempting to use wgLDAPWriteLocation", self::NONSENSITIVE );~~
	799	+ $this->printDebug( "userdn is blank, attempting to use wgLDAPWriteLocation", NONSENSITIVE );
782	800	if ( isset( $wgLDAPWriteLocation[$_SESSION['wsDomain']] ) ) {
783		~~- $this->printDebug( "wgLDAPWriteLocation is set, using that", self::NONSENSITIVE );~~
	801	+ $this->printDebug( "wgLDAPWriteLocation is set, using that", NONSENSITIVE );
784	802	$userdn = $wgLDAPSearchAttributes[$_SESSION['wsDomain']] . "=" .
785	803	$username . $wgLDAPWriteLocation[$_SESSION['wsDomain']];
786	804	} else {
787		~~- $this->printDebug( "wgLDAPWriteLocation is not set, failing", self::NONSENSITIVE );~~
	805	+ $this->printDebug( "wgLDAPWriteLocation is not set, failing", NONSENSITIVE );
788	806	//getSearchString will bind, but will not unbind
789	807	@ldap_unbind();
790	808	return false;
791	809	}
792	810	}
793	811
794		~~- $this->printDebug( "Binding as the writerDN", self::NONSENSITIVE );~~
	812	+ $this->printDebug( "Binding as the writerDN", NONSENSITIVE );
795	813
796	814	$bind = $this->bindAs( $ldapconn, $wgLDAPWriterDN[$_SESSION['wsDomain']], $wgLDAPWriterPassword[$_SESSION['wsDomain']] );
797	815	if ( !$bind ) {
798		~~- $this->printDebug( "Failed to bind as the writerDN; add failed", self::NONSENSITIVE );~~
	816	+ $this->printDebug( "Failed to bind as the writerDN; add failed", NONSENSITIVE );
799	817	return false;
800	818	}
801	819
—	—	@@ -812,18 +830,18 @@
813	831	$values[$wgLDAPAuthAttribute[$_SESSION['wsDomain']]] = "true";
814	832	}
815	833
816		~~- $this->printDebug( "Adding user", self::NONSENSITIVE );~~
	834	+ $this->printDebug( "Adding user", NONSENSITIVE );
817	835	if ( @ldap_add( $ldapconn, $userdn, $values ) ) {
818		~~- $this->printDebug( "Successfully added user", self::NONSENSITIVE );~~
	836	+ $this->printDebug( "Successfully added user", NONSENSITIVE );
819	837	@ldap_unbind();
820	838	return true;
821	839	} else {
822		~~- $this->printDebug( "Failed to add user", self::NONSENSITIVE );~~
	840	+ $this->printDebug( "Failed to add user", NONSENSITIVE );
823	841	@ldap_unbind();
824	842	return false;
825	843	}
826	844	} else {
827		~~- $this->printDebug( "Failed to connect; add failed", self::NONSENSITIVE );~~
	845	+ $this->printDebug( "Failed to connect; add failed", NONSENSITIVE );
828	846	return false;
829	847	}
830	848	}
—	—	@@ -835,7 +853,7 @@
836	854	* @access public
837	855	*/
838	856	function setDomain( $domain ) {
839		~~- $this->printDebug( "Setting domain as: $domain", self::NONSENSITIVE );~~
	857	+ $this->printDebug( "Setting domain as: $domain", NONSENSITIVE );
840	858	$_SESSION['wsDomain'] = $domain;
841	859	}
842	860
—	—	@@ -850,13 +868,13 @@
851	869	function validDomain( $domain ) {
852	870	global $wgLDAPDomainNames, $wgLDAPUseLocal;
853	871
854		~~- $this->printDebug( "Entering validDomain", self::NONSENSITIVE );~~
	872	+ $this->printDebug( "Entering validDomain", NONSENSITIVE );
855	873
856	874	if ( in_array( $domain, $wgLDAPDomainNames ) \|\| ( $wgLDAPUseLocal && 'local' == $domain ) ) {
857		~~- $this->printDebug( "User is using a valid domain.", self::NONSENSITIVE );~~
	875	+ $this->printDebug( "User is using a valid domain.", NONSENSITIVE );
858	876	return true;
859	877	} else {
860		~~- $this->printDebug( "User is not using a valid domain.", self::NONSENSITIVE );~~
	878	+ $this->printDebug( "User is not using a valid domain.", NONSENSITIVE );
861	879	return false;
862	880	}
863	881	}
—	—	@@ -873,14 +891,19 @@
874	892	global $wgLDAPUseLDAPGroups;
875	893	global $wgLDAPUniqueBlockLogin, $wgLDAPUniqueRenameUser;
876	894
877		~~- $this->printDebug( "Entering updateUser", self::NONSENSITIVE );~~
	895	+ $this->printDebug( "Entering updateUser", NONSENSITIVE );
878	896
	897	+ if ($this->authFailed) {
	898	+ $this->printDebug( "User didn't successfully authenticate, exiting.", NONSENSITIVE );
	899	+ return;
	900	+ }
	901	+
879	902	$saveSettings = false;
880	903
881	904	//If we aren't pulling preferences, we don't want to accidentally
882	905	//overwrite anything.
883	906	if ( isset( $wgLDAPRetrievePrefs[$_SESSION['wsDomain']] ) && $wgLDAPRetrievePrefs[$_SESSION['wsDomain']] ) {
884		~~- $this->printDebug( "Setting user preferences.", self::NONSENSITIVE );~~
	907	+ $this->printDebug( "Setting user preferences.", NONSENSITIVE );
885	908
886	909	if ( '' != $this->lang ) {
887	910	$user->setOption( 'language', $this->lang );
—	—	@@ -906,14 +929,14 @@
907	930	}
908	931
909	932	if ( isset( $wgLDAPUseLDAPGroups[$_SESSION['wsDomain']] ) && $wgLDAPUseLDAPGroups[$_SESSION['wsDomain']] ) {
910		~~- $this->printDebug( "Setting user groups.", self::NONSENSITIVE );~~
	933	+ $this->printDebug( "Setting user groups.", NONSENSITIVE );
911	934	$this->setGroups( $user );
912	935
913	936	$saveSettings = true;
914	937	}
915	938
916	939	if ( $saveSettings ) {
917		~~- $this->printDebug( "Saving user settings.", self::NONSENSITIVE );~~
	940	+ $this->printDebug( "Saving user settings.", NONSENSITIVE );
918	941	$user->saveSettings();
919	942	}
920	943	}
—	—	@@ -928,10 +951,15 @@
929	952	function initUser( &$user ) {
930	953	global $wgLDAPUseLDAPGroups;
931	954
932		~~- $this->printDebug( "Entering initUser", self::NONSENSITIVE );~~
	955	+ $this->printDebug( "Entering initUser", NONSENSITIVE );
933	956
	957	+ if ($this->authFailed) {
	958	+ $this->printDebug( "User didn't successfully authenticate, exiting.", NONSENSITIVE );
	959	+ return;
	960	+ }
	961	+
934	962	if ( 'local' == $_SESSION['wsDomain'] ) {
935		~~- $this->printDebug( "User is using a local domain", self::NONSENSITIVE );~~
	963	+ $this->printDebug( "User is using a local domain", NONSENSITIVE );
936	964	return;
937	965	}
938	966
—	—	@@ -959,13 +987,13 @@
960	988	function strict() {
961	989	global $wgLDAPUseLocal, $wgLDAPMailPassword;
962	990
963		~~- $this->printDebug( "Entering strict.", self::NONSENSITIVE );~~
	991	+ $this->printDebug( "Entering strict.", NONSENSITIVE );
964	992
965	993	if ( $wgLDAPUseLocal \|\| $wgLDAPMailPassword ) {
966		~~- $this->printDebug( "Returning false in strict().", self::NONSENSITIVE );~~
	994	+ $this->printDebug( "Returning false in strict().", NONSENSITIVE );
967	995	return false;
968	996	} else {
969		~~- $this->printDebug( "Returning true in strict().", self::NONSENSITIVE );~~
	997	+ $this->printDebug( "Returning true in strict().", NONSENSITIVE );
970	998	return true;
971	999	}
972	1000	}
—	—	@@ -980,15 +1008,15 @@
981	1009	*/
982	1010	function getCanonicalName( $username ) {
983	1011	global $wgLDAPUseLocal;
984		~~- $this->printDebug( "Entering getCanonicalName", self::NONSENSITIVE );~~
	1012	+ $this->printDebug( "Entering getCanonicalName", NONSENSITIVE );
985	1013
986	1014	if ( $username != '' ) {
987		~~- $this->printDebug( "Username isn't empty.", self::NONSENSITIVE );~~
	1015	+ $this->printDebug( "Username isn't empty.", NONSENSITIVE );
988	1016
989	1017	//We want to use the username returned by LDAP
990	1018	//if it exists
991	1019	if ( $this->LDAPUsername != '' ) {
992		~~- $this->printDebug( "Using LDAPUsername.", self::NONSENSITIVE );~~
	1020	+ $this->printDebug( "Using LDAPUsername.", NONSENSITIVE );
993	1021	$username = $this->LDAPUsername;
994	1022	}
995	1023
—	—	@@ -1004,7 +1032,7 @@
1005	1033	$username[0] = strtoupper( $username[0] );
1006	1034	}
1007	1035
1008		~~- $this->printDebug( "Munged username: $username", self::NONSENSITIVE );~~
	1036	+ $this->printDebug( "Munged username: $username", NONSENSITIVE );
1009	1037
1010	1038	return $username;
1011	1039	}
—	—	@@ -1036,11 +1064,11 @@
1037	1065	global $wgLDAPSearchStrings;
1038	1066	global $wgLDAPProxyAgent, $wgLDAPProxyAgentPassword;
1039	1067
1040		~~- $this->printDebug( "Entering getSearchString", self::NONSENSITIVE );~~
	1068	+ $this->printDebug( "Entering getSearchString", NONSENSITIVE );
1041	1069
1042	1070	if ( isset( $wgLDAPSearchStrings[$_SESSION['wsDomain']] ) ) {
1043	1071	//This is a straight bind
1044		~~- $this->printDebug( "Doing a straight bind", self::NONSENSITIVE );~~
	1072	+ $this->printDebug( "Doing a straight bind", NONSENSITIVE );
1045	1073
1046	1074	$tmpuserdn = $wgLDAPSearchStrings[$_SESSION['wsDomain']];
1047	1075	$userdn = str_replace( "USER-NAME", $username, $tmpuserdn );
—	—	@@ -1048,22 +1076,22 @@
1049	1077	//This is a proxy bind, or an anonymous bind with a search
1050	1078	if ( isset( $wgLDAPProxyAgent[$_SESSION['wsDomain']] ) ) {
1051	1079	//This is a proxy bind
1052		~~- $this->printDebug( "Doing a proxy bind", self::NONSENSITIVE );~~
	1080	+ $this->printDebug( "Doing a proxy bind", NONSENSITIVE );
1053	1081	$bind = $this->bindAs( $ldapconn, $wgLDAPProxyAgent[$_SESSION['wsDomain']], $wgLDAPProxyAgentPassword[$_SESSION['wsDomain']] );
1054	1082	} else {
1055	1083	//This is an anonymous bind
1056		~~- $this->printDebug( "Doing an anonymous bind", self::NONSENSITIVE );~~
	1084	+ $this->printDebug( "Doing an anonymous bind", NONSENSITIVE );
1057	1085	$bind = $this->bindAs( $ldapconn );
1058	1086	}
1059	1087
1060	1088	if ( !$bind ) {
1061		~~- $this->printDebug( "Failed to bind", self::NONSENSITIVE );~~
	1089	+ $this->printDebug( "Failed to bind", NONSENSITIVE );
1062	1090	return '';
1063	1091	}
1064	1092
1065	1093	$userdn = $this->getUserDN( $ldapconn, $username );
1066	1094	}
1067		~~- $this->printDebug( "userdn is: $userdn", self::SENSITIVE );~~
	1095	+ $this->printDebug( "userdn is: $userdn", SENSITIVE );
1068	1096	return $userdn;
1069	1097	}
1070	1098
—	—	@@ -1081,7 +1109,7 @@
1082	1110	global $wgLDAPSearchAttributes;
1083	1111	global $wgLDAPRequireAuthAttribute, $wgLDAPAuthAttribute;
1084	1112
1085		~~- $this->printDebug("Entering getUserDN", self::NONSENSITIVE);~~
	1113	+ $this->printDebug("Entering getUserDN", NONSENSITIVE);
1086	1114
1087	1115	//we need to do a subbase search for the entry
1088	1116
—	—	@@ -1091,20 +1119,20 @@
1092	1120	$auth_filter = "(" . $wgLDAPAuthAttribute[$_SESSION['wsDomain']] . ")";
1093	1121	$srch_filter = "(" . $wgLDAPSearchAttributes[$_SESSION['wsDomain']] . "=" . $this->getLdapEscapedString( $username ) . ")";
1094	1122	$filter = "(&" . $srch_filter . $auth_filter . ")";
1095		~~- $this->printDebug( "Created an auth attribute filter: $filter", self::SENSITIVE );~~
	1123	+ $this->printDebug( "Created an auth attribute filter: $filter", SENSITIVE );
1096	1124	} else {
1097	1125	$filter = "(" . $wgLDAPSearchAttributes[$_SESSION['wsDomain']] . "=" . $this->getLdapEscapedString( $username ) . ")";
1098		~~- $this->printDebug( "Created a regular filter: $filter", self::SENSITIVE );~~
	1126	+ $this->printDebug( "Created a regular filter: $filter", SENSITIVE );
1099	1127	}
1100	1128
1101	1129	$attributes = array( "*" );
1102		~~- $base = $this->getBaseDN( self::USERDN );~~
	1130	+ $base = $this->getBaseDN( USERDN );
1103	1131
1104		~~- $this->printDebug( "Using base: $base", self::SENSITIVE );~~
	1132	+ $this->printDebug( "Using base: $base", SENSITIVE );
1105	1133
1106	1134	$entry = @ldap_search( $ldapconn, $base, $filter, $attributes );
1107	1135	if ( !$entry ) {
1108		~~- $this->printDebug( "Couldn't find an entry", self::NONSENSITIVE );~~
	1136	+ $this->printDebug( "Couldn't find an entry", NONSENSITIVE );
1109	1137	return '';
1110	1138	}
1111	1139
—	—	@@ -1114,7 +1142,7 @@
1115	1143	//group checking, and pulling preferences.
1116	1144	wfRunHooks( 'SetUsernameAttributeFromLDAP', array( &$this->LDAPUsername, $info ) );
1117	1145	if ( !is_string( $this->LDAPUsername ) ) {
1118		- $this->printDebug( "Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.", self::NONSENSITIVE );
	1146	+ $this->printDebug( "Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.", NONSENSITIVE );
1119	1147	$this->LDAPUsername = '';
1120	1148	}
1121	1149
—	—	@@ -1124,7 +1152,7 @@
1125	1153
1126	1154	//DEPRECATED
1127	1155	function isMemberOfLdapGroup( $ldapconn, $userDN, $groupDN ) {
1128		~~- $this->printDebug( "Entering isMemberOfLdapGroup (DEPRECATED)", self::NONSENSITIVE );~~
	1156	+ $this->printDebug( "Entering isMemberOfLdapGroup (DEPRECATED)", NONSENSITIVE );
1129	1157
1130	1158	//we need to do a subbase search for the entry
1131	1159	$filter = "(member=" . $this->getLdapEscapedString( $userDN ) . ")";
—	—	@@ -1145,7 +1173,7 @@
1146	1174	global $wgLDAPRequiredGroups;
1147	1175	global $wgLDAPGroupSearchNestedGroups;
1148	1176
1149		~~- $this->printDebug( "Entering isMemberOfRequiredLdapGroup", self::NONSENSITIVE );~~
	1177	+ $this->printDebug( "Entering isMemberOfRequiredLdapGroup", NONSENSITIVE );
1150	1178
1151	1179	$reqgroups = $wgLDAPRequiredGroups[$_SESSION['wsDomain']];
1152	1180	for ( $i = 0; $i < count( $reqgroups ); $i++ ) {
—	—	@@ -1154,14 +1182,14 @@
1155	1183
1156	1184	$searchnested = $wgLDAPGroupSearchNestedGroups[$_SESSION['wsDomain']];
1157	1185
1158		~~- $this->printDebug( "Required groups:" . implode( ",",$reqgroups ) . "", self::NONSENSITIVE );~~
	1186	+ $this->printDebug( "Required groups:" . implode( ",",$reqgroups ) . "", NONSENSITIVE );
1159	1187
1160	1188	$groups = $this->getUserGroups( $ldapconn, $userDN );
1161	1189
1162	1190	//TODO: using variables for this kind of thing is dirty, let's think of a new way
1163	1191	// to handle this need.
1164	1192	if ( !$this->foundUserLDAPGroups ) {
1165		~~- $this->printDebug( "Couldn't find the user in any groups (1).", self::NONSENSITIVE );~~
	1193	+ $this->printDebug( "Couldn't find the user in any groups (1).", NONSENSITIVE );
1166	1194
1167	1195	//User isn't in any groups, so he/she obviously can't be in
1168	1196	//a required one
—	—	@@ -1170,7 +1198,7 @@
1171	1199	//User is in groups, let's see if a required group is one of them
1172	1200	foreach ( $groups as $group ) {
1173	1201	if ( in_array( $group, $reqgroups ) ) {
1174		~~- $this->printDebug( "Found user in a group.", self::NONSENSITIVE );~~
	1202	+ $this->printDebug( "Found user in a group.", NONSENSITIVE );
1175	1203	return true;
1176	1204	}
1177	1205	}
—	—	@@ -1182,7 +1210,7 @@
1183	1211	}
1184	1212	}
1185	1213
1186		~~- $this->printDebug( "Couldn't find the user in any groups (2).", self::NONSENSITIVE );~~
	1214	+ $this->printDebug("Couldn't find the user in any groups (2).", NONSENSITIVE );
1187	1215
1188	1216	return false;
1189	1217	}
—	—	@@ -1202,15 +1230,15 @@
1203	1231	function searchNestedGroups( $ldapconn, $groups, $checkedgroups = array() ) {
1204	1232	global $wgLDAPRequiredGroups;
1205	1233
1206		~~- $this->printDebug( "Entering searchNestedGroups", self::NONSENSITIVE );~~
	1234	+ $this->printDebug( "Entering searchNestedGroups", NONSENSITIVE );
1207	1235
1208	1236	//base case, no more groups left to check
1209	1237	if ( !$groups ) {
1210		~~- $this->printDebug( "Couldn't find user in any nested groups.", self::NONSENSITIVE );~~
	1238	+ $this->printDebug( "Couldn't find user in any nested groups.", NONSENSITIVE );
1211	1239	return false;
1212	1240	}
1213	1241
1214		~~- $this->printDebug( "Checking groups:" . implode( ",", $groups ) . "", self::SENSITIVE );~~
	1242	+ $this->printDebug( "Checking groups:" . implode( ",", $groups ) . "", SENSITIVE );
1215	1243
1216	1244	$reqgroups = $wgLDAPRequiredGroups[$_SESSION['wsDomain']];
1217	1245	for ( $i = 0; $i < count( $reqgroups ); $i++ ) {
—	—	@@ -1220,15 +1248,15 @@
1221	1249	$groupstocheck = array();
1222	1250	foreach ( $groups as $group ) {
1223	1251	$returnedgroups = $this->getUserGroups( $ldapconn, $group, false, false );
1224		~~- $this->printDebug( "Group $group is in the following groups:" . implode( ",", $returnedgroups ) . "", self::SENSITIVE );~~
	1252	+ $this->printDebug( "Group $group is in the following groups:" . implode( ",", $returnedgroups ) . "", SENSITIVE );
1225	1253	foreach ( $returnedgroups as $checkme ) {
1226	1254	if ( in_array( $checkme, $checkedgroups ) ) {
1227	1255	//We already checked this, move on
1228	1256	continue;
1229	1257	}
1230		~~- $this->printDebug( "Checking membership for: $checkme", self::SENSITIVE );~~
	1258	+ $this->printDebug( "Checking membership for: $checkme", SENSITIVE );
1231	1259	if ( in_array( $checkme, $reqgroups ) ) {
1232		~~- $this->printDebug( "Found user in a nested group.", self::NONSENSITIVE );~~
	1260	+ $this->printDebug( "Found user in a nested group.", NONSENSITIVE );
1233	1261	//Woohoo
1234	1262	return true;
1235	1263	} else {
—	—	@@ -1255,17 +1283,17 @@
1256	1284	* @access private
1257	1285	*/
1258	1286	function getUserGroups( $ldapconn, $dn, $getShortnames = false, $returncache = true ) {
1259		~~- $this->printDebug( "Entering getUserGroups", self::NONSENSITIVE );~~
	1287	+ $this->printDebug( "Entering getUserGroups", NONSENSITIVE );
1260	1288
1261	1289	//Let's return the saved groups if they are available
1262	1290	if ( $getShortnames ) {
1263	1291	if ( $returncache && isset( $this->userLDAPShortnameGroupCache ) ) {
1264		~~- $this->printDebug( "Returning short name group cache.", self::NONSENSITIVE );~~
	1292	+ $this->printDebug( "Returning short name group cache.", NONSENSITIVE );
1265	1293	return $this->userLDAPShortnameGroupCache;
1266	1294	}
1267	1295	} else {
1268	1296	if ( $returncache && isset( $this->userLDAPGroupCache ) ) {
1269		~~- $this->printDebug( "Returning long name group cache.", self::NONSENSITIVE );~~
	1297	+ $this->printDebug( "Returning long name group cache.", NONSENSITIVE );
1270	1298	return $this->userLDAPGroupCache;
1271	1299	}
1272	1300	}
—	—	@@ -1304,7 +1332,8 @@
1305	1333
1306	1334	/**
1307	1335	* Helper function for retrieving all LDAP groups. Returns
1308		~~- * a list of all groups in the LDAP server, under the appropriate~~
	1336	+ * a list of all groups in the LDAP server, that match available groups
	1337	+ * the user is already joined to in MediaWiki, under the appropriate
1309	1338	* basedn, all munged to lowercase.
1310	1339	* Sets $this->foundAllLDAPGroups
1311	1340	*
—	—	@@ -1314,7 +1343,7 @@
1315	1344	* @access private
1316	1345	*/
1317	1346	function getAllGroups( $ldapconn, $getShortnames = false ) {
1318		~~- $this->printDebug( "Entering getAllGroups", self::NONSENSITIVE );~~
	1347	+ $this->printDebug( "Entering getAllGroups", NONSENSITIVE );
1319	1348
1320	1349	//Let's return the saved groups if they are available
1321	1350	if ( $getShortnames ) {
—	—	@@ -1361,10 +1390,11 @@
1362	1391	function getGroups( $ldapconn, $dn ) {
1363	1392	global $wgLDAPGroupObjectclass, $wgLDAPGroupAttribute, $wgLDAPGroupNameAttribute;
1364	1393	global $wgLDAPProxyAgent, $wgLDAPProxyAgentPassword;
	1394	+ global $wgUser;
1365	1395
1366		~~- $this->printDebug( "Entering getGroups", self::NONSENSITIVE );~~
	1396	+ $this->printDebug( "Entering getGroups", NONSENSITIVE );
1367	1397
1368		~~- $base = $this->getBaseDN( self::GROUPDN );~~
	1398	+ $base = $this->getBaseDN( GROUPDN );
1369	1399
1370	1400	$objectclass = $wgLDAPGroupObjectclass[$_SESSION['wsDomain']];
1371	1401	$attribute = $wgLDAPGroupAttribute[$_SESSION['wsDomain']];
—	—	@@ -1374,21 +1404,22 @@
1375	1405	$value = $dn;
1376	1406	if ( $value != "*" )
1377	1407	$value = $this->getLdapEscapedString( $value );
	1408	+
1378	1409	$filter = "(&($attribute=$value)(objectclass=$objectclass))";
1379	1410
1380		~~- $this->printDebug( "Search string: $filter", self::SENSITIVE );~~
	1411	+ $this->printDebug( "Search string: $filter", SENSITIVE );
1381	1412
1382	1413	if ( isset( $wgLDAPProxyAgent[$_SESSION['wsDomain']] ) ) {
1383	1414	//We'll try to bind as the proxyagent as the proxyagent should normally have more
1384	1415	//rights than the user. If the proxyagent fails to bind, we will still be able
1385	1416	//to search as the normal user (which is why we don't return on fail).
1386		~~- $this->printDebug( "Binding as the proxyagentDN", self::NONSENSITIVE );~~
	1417	+ $this->printDebug( "Binding as the proxyagentDN", NONSENSITIVE );
1387	1418	$bind = $this->bindAs( $ldapconn, $wgLDAPProxyAgent[$_SESSION['wsDomain']], $wgLDAPProxyAgentPassword[$_SESSION['wsDomain']] );
1388	1419	}
1389	1420
1390	1421	$info = @ldap_search( $ldapconn, $base, $filter );
1391	1422	if ( !$info ) {
1392		~~- $this->printDebug( "No entries returned from search.", self::SENSITIVE );~~
	1423	+ $this->printDebug( "No entries returned from search.", SENSITIVE );
1393	1424
1394	1425	//Return an array with two empty arrays so that other functions
1395	1426	//don't error out.
—	—	@@ -1415,8 +1446,8 @@
1416	1447	array_push( $both_groups, $groups );
1417	1448	array_push( $both_groups, $shortnamegroups );
1418	1449
1419		~~- $this->printDebug( "Returned groups:" . implode( ",", $groups ) . "", self::SENSITIVE );~~
1420		~~- $this->printDebug( "Returned groups:" . implode( ",", $shortnamegroups ) . "", self::SENSITIVE );~~
	1450	+ $this->printDebug( "Returned groups:" . implode( ",", $groups ) . "", SENSITIVE );
	1451	+ $this->printDebug( "Returned groups:" . implode( ",", $shortnamegroups ) . "", SENSITIVE );
1421	1452
1422	1453	return $both_groups;
1423	1454	}
—	—	@@ -1430,7 +1461,7 @@
1431	1462	* @access private
1432	1463	*/
1433	1464	function hasLDAPGroup( $group ) {
1434		~~- $this->printDebug( "Entering hasLDAPGroup", self::NONSENSITIVE );~~
	1465	+ $this->printDebug( "Entering hasLDAPGroup", NONSENSITIVE );
1435	1466
1436	1467	return in_array( strtolower( $group ), $this->userLDAPGroups );
1437	1468	}
—	—	@@ -1443,7 +1474,7 @@
1444	1475	* @access private
1445	1476	*/
1446	1477	function isLDAPGroup( $group ) {
1447		~~- $this->printDebug( "Entering isLDAPGroup", self::NONSENSITIVE );~~
	1478	+ $this->printDebug( "Entering isLDAPGroup", NONSENSITIVE );
1448	1479
1449	1480	return in_array( strtolower( $group ), $this->allLDAPGroups );
1450	1481	}
—	—	@@ -1457,40 +1488,53 @@
1458	1489	*/
1459	1490	function setGroups( &$user ) {
1460	1491	global $wgLDAPGroupsPrevail, $wgGroupPermissions;
	1492	+ global $wgLDAPLocallyManagedGroups;
1461	1493
1462		~~- $this->printDebug( "Entering setGroups.", self::NONSENSITIVE );~~
	1494	+ $this->printDebug( "Entering setGroups.", NONSENSITIVE );
1463	1495
1464	1496	# add groups permissions
1465	1497	$localAvailGrps = $user->getAllGroups();
1466	1498	$localUserGrps = $user->getEffectiveGroups();
	1499	+
	1500	+ $defaultLocallyManagedGrps = array( 'bot', 'sysop', 'bureaucrat' );
1467	1501
	1502	+ if ( isset( $wgLDAPLocallyManagedGroups[$_SESSION['wsDomain']] ) ) {
	1503	+ $locallyManagedGrps = $wgLDAPLocallyManagedGroups[$_SESSION['wsDomain']];
	1504	+ $locallyManagedGrps = array_unique( array_merge( $defaultLocallyManagedGrps, $locallyManagedGrps ) );
	1505	+ $this->printDebug( "Locally managed groups: " . implode( ",", $locallyManagedGrps ) . "", SENSITIVE );
	1506	+ } else {
	1507	+ $locallyManagedGrps = $defaultLocallyManagedGrps;
	1508	+ $this->printDebug( "Locally managed groups is unset, using defaults: " . implode( ",", $locallyManagedGrps ) . "", SENSITIVE );
	1509	+ }
	1510	+
	1511	+
1468	1512	# Add ldap groups as local groups
1469	1513	if ( isset( $wgLDAPGroupsPrevail[$_SESSION['wsDomain']] ) && $wgLDAPGroupsPrevail[$_SESSION['wsDomain']] ) {
1470		~~- $this->printDebug( "Adding all groups to wgGroupPermissions: " . implode( ",", $this->allLDAPGroups ) . "", self::SENSITIVE );~~
	1514	+ $this->printDebug( "Adding all groups to wgGroupPermissions: " . implode( ",", $this->allLDAPGroups ) . "", SENSITIVE );
1471	1515	foreach ( $this->allLDAPGroups as $ldapgroup )
1472	1516	if ( !array_key_exists( $ldapgroup, $wgGroupPermissions ) )
1473	1517	$wgGroupPermissions[$ldapgroup] = array();
1474	1518	}
1475	1519
1476		~~- $this->printDebug( "Available groups are: " . implode( ",", $localAvailGrps ) . "", self::NONSENSITIVE );~~
1477		~~- $this->printDebug( "Effective groups are: " . implode( ",", $localUserGrps ) . "", self::NONSENSITIVE );~~
	1520	+ $this->printDebug( "Available groups are: " . implode( ",", $localAvailGrps ) . "", NONSENSITIVE );
	1521	+ $this->printDebug( "Effective groups are: " . implode( ",", $localUserGrps ) . "", NONSENSITIVE );
1478	1522
1479	1523	# note: $localUserGrps does not need to be updated with $cGroup added,
1480	1524	# as $localAvailGrps contains $cGroup only once.
1481	1525	foreach ( $localAvailGrps as $cGroup ) {
1482	1526	# did we once add the user to the group?
1483	1527	if ( in_array( $cGroup,$localUserGrps ) ) {
1484		~~- $this->printDebug( "Checking to see if we need to remove user from: $cGroup", self::NONSENSITIVE );~~
1485		~~- if ( ( !$this->hasLDAPGroup( $cGroup ) ) && ( $this->isLDAPGroup( $cGroup ) ) ) {~~
1486		~~- $this->printDebug( "Removing user from: $cGroup", self::NONSENSITIVE );~~
	1528	+ $this->printDebug( "Checking to see if we need to remove user from: $cGroup", NONSENSITIVE );
	1529	+ if ( ( !$this->hasLDAPGroup( $cGroup ) ) && ( !in_array( $cGroup, $locallyManagedGrps ) ) ) {
	1530	+ $this->printDebug( "Removing user from: $cGroup", NONSENSITIVE );
1487	1531	# the ldap group overrides the local group
1488	1532	# so as the user is currently not a member of the ldap group, he shall be removed from the local group
1489	1533	$user->removeGroup( $cGroup );
1490	1534	}
1491	1535	} else { # no, but maybe the user has recently been added to the ldap group?
1492		~~- $this->printDebug( "Checking to see if user is in: $cGroup", self::NONSENSITIVE );~~
	1536	+ $this->printDebug( "Checking to see if user is in: $cGroup", NONSENSITIVE );
1493	1537	if ( $this->hasLDAPGroup( $cGroup ) ) {
1494		~~- $this->printDebug( "Adding user to: $cGroup", self::NONSENSITIVE );~~
	1538	+ $this->printDebug( "Adding user to: $cGroup", NONSENSITIVE );
1495	1539	# so use the addGroup function
1496	1540	$user->addGroup( $cGroup );
1497	1541	# completed for $cGroup.
—	—	@@ -1509,7 +1553,7 @@
1510	1554	function getPasswordHash( $password ) {
1511	1555	global $wgLDAPPasswordHash;
1512	1556
1513		~~- $this->printDebug( "Entering getPasswordHash", self::NONSENSITIVE );~~
	1557	+ $this->printDebug( "Entering getPasswordHash", NONSENSITIVE );
1514	1558
1515	1559	if ( isset( $wgLDAPPasswordHash[$_SESSION['wsDomain']] ) ) {
1516	1560	$hashtouse = $wgLDAPPasswordHash[$_SESSION['wsDomain']];
—	—	@@ -1531,7 +1575,7 @@
1532	1576	break;
1533	1577	}
1534	1578
1535		~~- $this->printDebug( "Password is $pass", self::HIGHLYSENSITIVE );~~
	1579	+ $this->printDebug( "Password is $pass", HIGHLYSENSITIVE );
1536	1580	return $pass;
1537	1581	}
1538	1582
—	—	@@ -1569,8 +1613,8 @@
1570	1614	$bind = @ldap_bind( $ldapconn, $userdn, $password );
1571	1615	}
1572	1616	if ( !$bind ) {
1573		~~- $this->printDebug( "Failed to bind as $userdn", self::NONSENSITIVE );~~
1574		~~- $this->printDebug( "with password: $password", self::HIGHLYSENSITIVE );~~
	1617	+ $this->printDebug( "Failed to bind as $userdn", NONSENSITIVE );
	1618	+ $this->printDebug( "with password: $password", HIGHLYSENSITIVE );
1575	1619	return false;
1576	1620	}
1577	1621	return true;
—	—	@@ -1617,39 +1661,39 @@
1618	1662	function getBaseDN ( $type ) {
1619	1663	global $wgLDAPBaseDNs, $wgLDAPGroupBaseDNs, $wgLDAPUserBaseDNs;
1620	1664
1621		~~- $this->printDebug( "Entering getBaseDN", self::NONSENSITIVE );~~
	1665	+ $this->printDebug( "Entering getBaseDN", NONSENSITIVE );
1622	1666
1623	1667	$ret = '';
1624	1668	switch( $type ) {
1625		~~- case self::USERDN:~~
	1669	+ case USERDN:
1626	1670	if ( isset( $wgLDAPUserBaseDNs[$_SESSION['wsDomain']] ) ) {
1627	1671	$ret = $wgLDAPUserBaseDNs[$_SESSION['wsDomain']];
1628	1672	}
1629	1673	break;
1630		~~- case self::GROUPDN:~~
	1674	+ case GROUPDN:
1631	1675	if ( isset( $wgLDAPGroupBaseDNs[$_SESSION['wsDomain']] ) ) {
1632	1676	$ret = $wgLDAPGroupBaseDNs[$_SESSION['wsDomain']];
1633	1677	}
1634	1678	break;
1635		~~- case self::DEFAULTDN:~~
	1679	+ case DEFAULTDN:
1636	1680	if ( isset( $wgLDAPBaseDNs[$_SESSION['wsDomain']] ) ) {
1637	1681	$ret = $wgLDAPBaseDNs[$_SESSION['wsDomain']];
1638		~~- $this->printDebug( "basedn is $ret", self::NONSENSITIVE );~~
	1682	+ $this->printDebug( "basedn is $ret", NONSENSITIVE );
1639	1683	return $ret;
1640	1684	} else {
1641		~~- $this->printDebug( "basedn is not set.", self::NONSENSITIVE );~~
	1685	+ $this->printDebug( "basedn is not set.", NONSENSITIVE );
1642	1686	return '';
1643	1687	}
1644	1688	break;
1645	1689	}
1646	1690
1647	1691	if ( $ret == '' ) {
1648		~~- $this->printDebug( "basedn is not set for this type of entry, trying to get the default basedn.", self::NONSENSITIVE );~~
	1692	+ $this->printDebug( "basedn is not set for this type of entry, trying to get the default basedn.", NONSENSITIVE );
1649	1693	// We will never reach here if $type is self::DEFAULTDN, so to avoid code
1650	1694	// code duplication, we'll get the default by re-calling the function.
1651		~~- return $this->getBaseDN( self::DEFAULTDN );~~
	1695	+ return $this->getBaseDN( DEFAULTDN );
1652	1696	} else {
1653		~~- $this->printDebug( "basedn is $ret", self::NONSENSITIVE );~~
	1697	+ $this->printDebug( "basedn is $ret", NONSENSITIVE );
1654	1698	return $ret;
1655	1699	}
1656	1700	}
—	—	@@ -1683,23 +1727,23 @@
1684	1728
1685	1729	$wgAuth = new LdapAuthenticationPlugin();
1686	1730
1687		~~- $wgAuth->printDebug( "Entering AutoAuthSetup.", self::NONSENSITIVE );~~
	1731	+ $wgAuth->printDebug( "Entering AutoAuthSetup.", NONSENSITIVE );
1688	1732
1689	1733	//We may add quite a few different auto authenticate methods in the
1690	1734	//future, let's make it easy to support.
1691	1735	switch( $wgLDAPAutoAuthMethod ) {
1692	1736	case "smartcard":
1693		~~- $wgAuth->printDebug( "Allowing smartcard authentication.", self::NONSENSITIVE );~~
1694		~~- $wgAuth->printDebug( "wgLDAPSSLUsername = $wgLDAPSSLUsername", self::SENSITIVE );~~
	1737	+ $wgAuth->printDebug( "Allowing smartcard authentication.", NONSENSITIVE );
	1738	+ $wgAuth->printDebug( "wgLDAPSSLUsername = $wgLDAPSSLUsername", SENSITIVE );
1695	1739
1696	1740	if( $wgLDAPSSLUsername != null ) {
1697		~~- $wgAuth->printDebug( "wgLDAPSSLUsername is not null, adding hooks.", self::NONSENSITIVE );~~
	1741	+ $wgAuth->printDebug( "wgLDAPSSLUsername is not null, adding hooks.", NONSENSITIVE );
1698	1742	$wgHooks['AutoAuthenticate'][] = 'SSLAuth'; /* Hook for magical authN */
1699	1743	$wgHooks['PersonalUrls'][] = 'NoLogout'; /* Disallow logout link */
1700	1744	}
1701	1745	break;
1702	1746	default:
1703		~~- $wgAuth->printDebug( "Not using any AutoAuthentication methods.", self::NONSENSITIVE );~~
	1747	+ $wgAuth->printDebug( "Not using any AutoAuthentication methods.", NONSENSITIVE );
1704	1748	}
1705	1749	}
1706	1750
—	—	@@ -1718,14 +1762,14 @@
1719	1763	global $wgUser;
1720	1764	global $wgAuth;
1721	1765
1722		~~- $wgAuth->printDebug( "Entering SSLAuth.", self::NONSENSITIVE );~~
	1766	+ $wgAuth->printDebug( "Entering SSLAuth.", NONSENSITIVE );
1723	1767
1724	1768	//Give us a user, see if we're around
1725	1769	$tmpuser = User::LoadFromSession();
1726	1770
1727	1771	//They already with us? If so, quit this function.
1728	1772	if( $tmpuser->isLoggedIn() ) {
1729		~~- $wgAuth->printDebug( "User is already logged in.", self::NONSENSITIVE );~~
	1773	+ $wgAuth->printDebug( "User is already logged in.", NONSENSITIVE );
1730	1774	return true;
1731	1775	}
1732	1776
—	—	@@ -1734,12 +1778,12 @@
1735	1779	$wgAuth->autoAuthSetup();
1736	1780
1737	1781	//The user hasn't already been authenticated, let's check them
1738		~~- $wgAuth->printDebug( "User is not logged in, we need to authenticate", self::NONSENSITIVE );~~
	1782	+ $wgAuth->printDebug( "User is not logged in, we need to authenticate", NONSENSITIVE );
1739	1783	$authenticated = $wgAuth->authenticate( $wgLDAPSSLUsername );
1740	1784	if ( !$authenticated ) {
1741	1785	//If the user doesn't exist in LDAP, there isn't much reason to
1742	1786	//go any further.
1743		~~- $wgAuth->printDebug("User wasn't found in LDAP, exiting.", self::NONSENSITIVE );~~
	1787	+ $wgAuth->printDebug("User wasn't found in LDAP, exiting.", NONSENSITIVE );
1744	1788	return false;
1745	1789	}
1746	1790
—	—	@@ -1747,26 +1791,26 @@
1748	1792	//get from LDAP.
1749	1793	$mungedUsername = $wgAuth->getCanonicalName( $wgLDAPSSLUsername );
1750	1794
1751		~~- $wgAuth->printDebug( "User exists in LDAP; finding the user by name in MediaWiki.", self::NONSENSITIVE );~~
	1795	+ $wgAuth->printDebug( "User exists in LDAP; finding the user by name in MediaWiki.", NONSENSITIVE );
1752	1796
1753	1797	//Is the user already in the database?
1754	1798	$tmpuser = User::newFromName( $mungedUsername );
1755	1799
1756	1800	if ( $tmpuser == null ) {
1757		~~- $wgAuth->printDebug( "Username is not a valid MediaWiki username.", self::NONSENSITIVE );~~
	1801	+ $wgAuth->printDebug( "Username is not a valid MediaWiki username.", NONSENSITIVE );
1758	1802	return false;
1759	1803	}
1760	1804
1761	1805	//If exists, log them in
1762	1806	if( $tmpuser->getID() != 0 ) {
1763		~~- $wgAuth->printDebug( "User exists in local database, logging in.", self::NONSENSITIVE );~~
	1807	+ $wgAuth->printDebug( "User exists in local database, logging in.", NONSENSITIVE );
1764	1808	$wgUser = &$tmpuser;
1765	1809	$wgAuth->updateUser( $wgUser );
1766	1810	$wgUser->setCookies();
1767	1811	$wgUser->setupSession();
1768	1812	return true;
1769	1813	}
1770		~~- $wgAuth->printDebug( "User does not exist in local database; creating.", self::NONSENSITIVE );~~
	1814	+ $wgAuth->printDebug( "User does not exist in local database; creating.", NONSENSITIVE );
1771	1815
1772	1816	//Require SpecialUserlogin so that we can get a loginForm
1773	1817	require_once( 'SpecialUserlogin.php' );
—	—	@@ -1781,7 +1825,7 @@
1782	1826	$wgLangUnset = true;
1783	1827	}
1784	1828
1785		~~- $wgAuth->printDebug( "Creating LoginForm.", self::NONSENSITIVE );~~
	1829	+ $wgAuth->printDebug( "Creating LoginForm.", NONSENSITIVE );
1786	1830
1787	1831	//This creates our form that'll let us create a new user in the database
1788	1832	$lf = new LoginForm( $wgRequest );
—	—	@@ -1790,7 +1834,7 @@
1791	1835	$wgUser = &$tmpuser;
1792	1836	$wgUser->setName( $wgContLang->ucfirst( $mungedUsername ) );
1793	1837
1794		~~- $wgAuth->printDebug( "Creating User.", self::NONSENSITIVE );~~
	1838	+ $wgAuth->printDebug( "Creating User.", NONSENSITIVE );
1795	1839
1796	1840	//Create the user
1797	1841	$lf->initUser( $wgUser );

Status & tagging log

15:21, 12 September 2011 Meno25 (talk | contribs) changed the status of r26013 [removed: ok added: old]