r92935 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r92934‎ | r92935 | r92936 >
Date:09:25, 23 July 2011
Author:aaron
Status:ok (Comments)
Tags:
Comment:
MFT r92907,r92894,r92887,r92886,r92884: password reset page fixes. Tweaked to use $this->mName field (since that's what it's called in 1.17).
Modified paths:
  • /branches/wmf/1.17wmf1/includes/specials/SpecialResetpass.php (modified) (history)
  • /branches/wmf/1.17wmf1/includes/specials/SpecialUserlogin.php (modified) (history)

Diff [purge]

Index: branches/wmf/1.17wmf1/includes/specials/SpecialUserlogin.php
@@ -431,7 +431,7 @@
432432 * creation.
433433 */
434434 public function authenticateUserData() {
435 - global $wgUser, $wgAuth, $wgMemc;
 435+ global $wgUser, $wgAuth;
436436
437437 if ( $this->mName == '' ) {
438438 return self::NO_NAME;
@@ -452,22 +452,9 @@
453453 return self::NEED_TOKEN;
454454 }
455455
456 - global $wgPasswordAttemptThrottle;
457 -
458 - $throttleCount = 0;
459 - if ( is_array( $wgPasswordAttemptThrottle ) ) {
460 - $throttleKey = wfMemcKey( 'password-throttle', wfGetIP(), md5( $this->mName ) );
461 - $count = $wgPasswordAttemptThrottle['count'];
462 - $period = $wgPasswordAttemptThrottle['seconds'];
463 -
464 - $throttleCount = $wgMemc->get( $throttleKey );
465 - if ( !$throttleCount ) {
466 - $wgMemc->add( $throttleKey, 1, $period ); // start counter
467 - } elseif ( $throttleCount < $count ) {
468 - $wgMemc->incr( $throttleKey );
469 - } elseif ( $throttleCount >= $count ) {
470 - return self::THROTTLED;
471 - }
 456+ $throttleCount = self::incLoginThrottle( $this->mName );
 457+ if ( $throttleCount === true ) {
 458+ return self::THROTTLED;
472459 }
473460
474461 // Validate the login token
@@ -561,8 +548,8 @@
562549 $wgUser = $u;
563550
564551 // Please reset throttle for successful logins, thanks!
565 - if( $throttleCount ) {
566 - $wgMemc->delete( $throttleKey );
 552+ if ( $throttleCount ) {
 553+ self::clearLoginThrottle( $this->mName );
567554 }
568555
569556 if ( $isAutoCreated ) {
@@ -576,6 +563,46 @@
577564 return $retval;
578565 }
579566
 567+ /*
 568+ * Increment the login attempt throttle hit count for the (username,current IP)
 569+ * tuple unless the throttle was already reached.
 570+ * @param $username string The user name
 571+ * @return Bool|Integer The integer hit count or True if it is already at the limit
 572+ */
 573+ public static function incLoginThrottle( $username ) {
 574+ global $wgPasswordAttemptThrottle, $wgMemc;
 575+
 576+ $throttleCount = 0;
 577+ if ( is_array( $wgPasswordAttemptThrottle ) ) {
 578+ $throttleKey = wfMemcKey( 'password-throttle', wfGetIP(), md5( $username ) );
 579+ $count = $wgPasswordAttemptThrottle['count'];
 580+ $period = $wgPasswordAttemptThrottle['seconds'];
 581+
 582+ $throttleCount = $wgMemc->get( $throttleKey );
 583+ if ( !$throttleCount ) {
 584+ $wgMemc->add( $throttleKey, 1, $period ); // start counter
 585+ } elseif ( $throttleCount < $count ) {
 586+ $wgMemc->incr( $throttleKey );
 587+ } elseif ( $throttleCount >= $count ) {
 588+ return true;
 589+ }
 590+ }
 591+
 592+ return $throttleCount;
 593+ }
 594+
 595+ /*
 596+ * Clear the login attempt throttle hit count for the (username,current IP) tuple.
 597+ * @param $username string The user name
 598+ * @return void
 599+ */
 600+ public static function clearLoginThrottle( $username ) {
 601+ global $wgMemc;
 602+
 603+ $throttleKey = wfMemcKey( 'password-throttle', wfGetIP(), md5( $username ) );
 604+ $wgMemc->delete( $throttleKey );
 605+ }
 606+
580607 /**
581608 * Attempt to automatically create a user on login. Only succeeds if there
582609 * is an external authentication method which allows it.
@@ -872,11 +899,11 @@
873900 global $wgUser;
874901 # Run any hooks; display injected HTML
875902 $injected_html = '';
876 - $welcome_creation_msg = 'welcomecreation';
 903+ $welcome_creation_msg = 'welcomecreation';
877904 wfRunHooks( 'UserLoginComplete', array( &$wgUser, &$injected_html ) );
878905
879906 //let any extensions change what message is shown
880 - wfRunHooks( 'BeforeWelcomeCreation', array( &$welcome_creation_msg, &$injected_html ) );
 907+ wfRunHooks( 'BeforeWelcomeCreation', array( &$welcome_creation_msg, &$injected_html ) );
881908
882909 $this->displaySuccessfulLogin( $welcome_creation_msg, $injected_html );
883910 }
Index: branches/wmf/1.17wmf1/includes/specials/SpecialResetpass.php
@@ -208,11 +208,21 @@
209209 throw new PasswordError( wfMsg( 'badretype' ) );
210210 }
211211
 212+ $throttleCount = LoginForm::incLoginThrottle( $this->mUserName );
 213+ if ( $throttleCount === true ) {
 214+ throw new PasswordError( wfMsg( 'login-throttled' ) );
 215+ }
 216+
212217 if( !$user->checkTemporaryPassword($this->mOldpass) && !$user->checkPassword($this->mOldpass) ) {
213218 wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'wrongpassword' ) );
214219 throw new PasswordError( wfMsg( 'resetpass-wrong-oldpass' ) );
215220 }
216 -
 221+
 222+ // Please reset throttle for successful logins, thanks!
 223+ if ( $throttleCount ) {
 224+ LoginForm::clearLoginThrottle( $this->mUserName );
 225+ }
 226+
217227 try {
218228 $user->setPassword( $this->mNewpass );
219229 wfRunHooks( 'PrefsPasswordAudit', array( $user, $newpass, 'success' ) );

Follow-up revisions

RevisionCommit summaryAuthorDate
r94446MFT to REL1_18:...hashar09:27, 14 August 2011

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r92884Refactored code out into incLoginThrottle/clearLoginThrottle functions (for u...aaron20:58, 22 July 2011
r92886Follow-up r92884: mark these functions staticaaron21:04, 22 July 2011
r92887Fix for r86482: throttle password attempts for SpecialChangePassword (uses r9...aaron21:06, 22 July 2011
r92894Improved r92884 comments a bit on second thoughtaaron21:18, 22 July 2011
r92907Follow-up r92887: clear throttle count once the password is accepted as normalaaron22:42, 22 July 2011

Comments

#Comment by Hashar (talk | contribs)   09:32, 14 August 2011

Individuals revisions merge in REL1_18 by r94446.

Status & tagging log