r55517 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r55516‎ \| r55517 \| r55518 >
Date:	03:33, 23 August 2009
Author:	simetrical
Status:	ok (Comments)
Tags:	todo
Comment:	Enforce $wgMinimalPasswordLength client-side . . . except not really. It works fine on Opera 9.6, except for the slight detail that if you enter a password that's too short, Opera will helpfully repeat your password back to you un-*ed when telling you it's too short. Same in Opera 10.00 Beta 3. So the code is commented out, and there are no functional changes. We'll need UA sniffing when the code is uncommented. But I already wrote it, so may as well commit it for future use. This recycles the "passwordtooshort" message to provide the client-side error message, using the title attribute on the input. Since the title attribute might be displayed when the user hasn't actually entered an invalid password, I've reworded it to not imply the user actually entered an incorrect password, so it just states the requirement. (This accords with the advice given in the HTML 5 spec.) I didn't make up a new message name for that, because it's not a big deal if translations do imply that the password is wrong, since that should theoretically be the most common case anyway.
Modified paths:	/trunk/phase3/includes/User.php (modified) (history) /trunk/phase3/includes/specials/SpecialResetpass.php (modified) (history) /trunk/phase3/includes/templates/Userlogin.php (modified) (history) /trunk/phase3/languages/messages/MessagesEn.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/User.php
—	—	@@ -3586,4 +3586,49 @@
3587	3587	$dbw->commit();
3588	3588	}
3589	3589
	3590	+ /**
	3591	+ * Provide an array of HTML 5 attributes to put on an input element
	3592	+ * intended for the user to enter a new password. This may include
	3593	+ * required, title, and/or pattern, depending on $wgMinimalPasswordLength.
	3594	+ *
	3595	+ * Do not use this when asking the user to enter his current password!
	3596	+ * Regardless of configuration, users may have invalid passwords for whatever
	3597	+ * reason (e.g., they were set before requirements were tightened up).
	3598	+ * Only use it when asking for a new password, like on account creation or
	3599	+ * ResetPass.
	3600	+ *
	3601	+ * Obviously, you still need to do server-side checking.
	3602	+ *
	3603	+ * @return array Array of HTML attributes suitable for feeding to
	3604	+ * Html::element(), directly or indirectly. (Don't feed to Xml::*()!
	3605	+ * That will potentially output invalid XHTML 1.0 Transitional, and will
	3606	+ * get confused by the boolean attribute syntax used.)
	3607	+ */
	3608	+ public static function passwordChangeInputAttribs() {
	3609	+ global $wgMinimalPasswordLength;
	3610	+
	3611	+ if ( $wgMinimalPasswordLength == 0 ) {
	3612	+ return array();
	3613	+ }
	3614	+
	3615	+ # Note that the pattern requirement will always be satisfied if the
	3616	+ # input is empty, so we need required in all cases.
	3617	+ $ret = array( 'required' );
	3618	+
	3619	+ # We can't actually do this right now, because Opera 9.6 will print out
	3620	+ # the entered password visibly in its error message! When other
	3621	+ # browsers add support for this attribute, or Opera fixes its support,
	3622	+ # we can add support with a version check to avoid doing this on Opera
	3623	+ # versions where it will be a problem. Reported to Opera as
	3624	+ # DSK-262266, but they don't have a public bug tracker for us to follow.
	3625	+ /*
	3626	+ if ( $wgMinimalPasswordLength > 1 ) {
	3627	+ $ret['pattern'] = '.{' . intval( $wgMinimalPasswordLength ) . ',}';
	3628	+ $ret['title'] = wfMsgExt( 'passwordtooshort', 'parsemag',
	3629	+ $wgMinimalPasswordLength );
	3630	+ }
	3631	+ */
	3632	+
	3633	+ return $ret;
	3634	+ }
3590	3635	}
Index: trunk/phase3/includes/specials/SpecialResetpass.php
—	—	@@ -128,8 +128,6 @@
129	129	}
130	130
131	131	function pretty( $fields ) {
132		~~- global $wgMinimalPasswordLength;~~
133		-
134	132	$out = '';
135	133	foreach ( $fields as $list ) {
136	134	list( $name, $label, $type, $value ) = $list;
—	—	@@ -137,14 +135,9 @@
138	136	$field = htmlspecialchars( $value );
139	137	} else {
140	138	$attribs = array( 'id' => $name );
141		~~- # The current password field is never required; it's possible~~
142		~~- # that existing users might have empty passwords on any wiki.~~
143		~~- # The two other password fields are required if~~
144		~~- # $wgMinimalPasswordLength > 0 (not allowed to set an empty~~
145		~~- # password).~~
146		~~- if ( ( $name == 'wpNewPassword' \|\| $name == 'wpRetype' )~~
147		~~- && $wgMinimalPasswordLength > 0 ) {~~
148		~~- $attribs[] = 'required';~~
	139	+ if ( $name == 'wpNewPassword' \|\| $name == 'wpRetype' ) {
	140	+ $attribs = array_merge( $attribs,
	141	+ User::passwordChangeInputAttribs() );
149	142	}
150	143	if ( $name == 'wpPassword' ) {
151	144	$attribs[] = 'autofocus';
Index: trunk/phase3/includes/templates/Userlogin.php
—	—	@@ -133,8 +133,6 @@
134	134	}
135	135
136	136	function execute() {
137		~~- global $wgMinimalPasswordLength;~~
138		-
139	137	if( $this->data['message'] ) {
140	138	?>
141	139	<div class="<?php $this->text('messagetype') ?>box">
—	—	@@ -176,7 +174,7 @@
177	175	'id' => 'wpPassword2',
178	176	'tabindex' => '2',
179	177	'size' => '20'
180		~~- ) + ( $wgMinimalPasswordLength > 0 ? array( 'required' ) : array() ) ); ?>~~
	178	+ ) + User::passwordChangeInputAttribs() ); ?>
181	179	</td>
182	180	</tr>
183	181	<?php if( $this->data['usedomain'] ) {
—	—	@@ -204,7 +202,7 @@
205	203	'id' => 'wpRetype',
206	204	'tabindex' => '4',
207	205	'size' => '20'
208		~~- ) + ( $wgMinimalPasswordLength > 0 ? array( 'required' ) : array() ) ); ?>~~
	206	+ ) + User::passwordChangeInputAttribs() ); ?>
209	207	</td>
210	208	</tr>
211	209	<tr>
Index: trunk/phase3/languages/messages/MessagesEn.php
—	—	@@ -1076,8 +1076,7 @@
1077	1077	Please try again.',
1078	1078	'wrongpasswordempty' => 'Password entered was blank.
1079	1079	Please try again.',
1080		~~-'passwordtooshort' => 'Your password is too short.~~
1081		~~-It must have at least {{PLURAL:$1\|1 character\|$1 characters}}.',~~
	1080	+'passwordtooshort' => 'Passwords must be at least {{PLURAL:$1\|1 character\|$1 characters}}.',
1082	1081	'password-name-match' => 'Your password must be different from your username.',
1083	1082	'mailmypassword' => 'E-mail new password',
1084	1083	'passwordremindertitle' => 'New temporary password for {{SITENAME}}',

Comments

#Comment by Brion VIBBER (talk | contribs) 18:21, 10 September 2009

passwordtooshort message is output as wikitext; reusing it for a client-side popup prompt probably won't work very well.

#Comment by Simetrical (talk | contribs) 18:37, 10 September 2009

Per discussion on IRC, passwordtooshort already appears to be output in some places as plaintext (specifically on Special:ResetPass), and in some places as raw HTML (specifically on Special:Userlogin). Doesn't add any inconsistency.

#Comment by Brion VIBBER (talk | contribs) 18:37, 10 September 2009

Changing from fixme to todo; as Aryeh notes on IRC the current usage is inconsistent (Special:Resetpass seems to HTML-escape the message, while Special:Userlogin doesn't.) Needs some cleanup later, but no harm for now.

#Comment by Tim Starling (talk | contribs) 07:31, 3 June 2010

Causes bug 23769, I think that counts as harm done.

#Comment by Simetrical (talk | contribs) 16:23, 9 June 2010

Should be fixed in r67283, r67284, r67285.

Status & tagging log

16:23, 9 June 2010 Simetrical (talk | contribs) changed the status of r55517 [removed: fixme added: ok]
07:31, 3 June 2010 Tim Starling (talk | contribs) changed the status of r55517 [removed: ok added: fixme]
18:37, 10 September 2009 Brion VIBBER (talk | contribs) changed the tags for r55517 [added: todo]
18:37, 10 September 2009 Brion VIBBER (talk | contribs) changed the status of r55517 [removed: fixme added: ok]
18:21, 10 September 2009 Brion VIBBER (talk | contribs) changed the status of r55517 [removed: new added: fixme]