Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Prevent users from changing their passwords in Mediawiki

Tags:

mediawiki

I am looking for a way to prevent all users to change their password in Mediawiki (because account creation and password change are handled by a central SSO server).

As far as I can see there are two ways for a Mediawiki user to change their password: Using the 'Forgot your password link' from the login page (Best solution would be the ability to show a custom link here) and the ability to change the password in the user preferences.

I have not found a suitable way yet as this seems not be doable by simple configuration in LocalSettings.php.

Any help is very much appreciated.

like image 754
Deckard Avatar asked Jun 03 '13 09:06

Deckard


People also ask

Can you make MediaWiki private?

If you must use MediaWiki, there are three basic possibilities: Set your wiki up private and whitelist specific pages that will be public with $wgWhitelistRead in the LocalSetting. php file.


2 Answers

After some hacking here is the complete solution. I did not find it anywhere this complete so please give it a thumbs up if it is useful to you:

Customize the ouput of the login screen by putting the following changes into LocalSettings.php

$wgHooks['UserLoginForm'][] = 'lfChangeLoginPage';
function lfChangeLoginPage( &$template ) {
    $template->set('canreset',false); // removes default reset password link
    $template->set('resetlink',false);
    // Use the following line to show your own 'reset password' link above the login fields
    $template->set('link',"<a href='http://www.somedomain.org/lostpassword'>Forgot your password?</a>"); 
    return true;
 }

Disable the reset password page just in case someone knows the direct URL:

// Disallow password reset on password reset page
$wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed';
function MailPasswordIsAllowed ( $username, $error ) {
    $error = wfMsg( 'resetpass_forbidden' );
    return false;
}

Disallow password change on password change page (referred by link in user preferences):

$wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed';
function ChangePasswordIsAllowed ( $user ) {
    throw new PasswordError( wfMsg( 'resetpass_forbidden' ));
    return true;
}

Hide password change link in user preferences:

$wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink';
function RemovePasswordChangeLink ( $user, &$preferences ) {
    unset($preferences['password']);
    return true;
}
like image 130
Deckard Avatar answered Oct 13 '22 07:10

Deckard


If you're using a current version of MediaWiki (at the time of this posting 1.32, but this goes back to 1.18) most of the hooks in the accepted answer by Carsten Schmitz are now deprecated or have even been removed, so I'll post a similar solution with currently available hooks (that work with AuthManager).

As usual, add the following lines to LocalSettings.php:

This will remove the links for password reset and help for logging in on the login page. If you want to add another link instead, just replace false with a valid HTML link such as <a href="https://urltopasswordchangesite">I forgot my password</a>:

$wgHooks['AuthChangeFormFields'][] = function ( $requests, $fieldInfo, &$formDescriptor, $action ) {
    if ($action === "login") {
        // Removes the "Help for logging in" link
        $formDescriptor["linkcontainer"]["default"] = false;
        // Removes the actual password reset link
        $formDescriptor["passwordReset"]["default"] = false;
    }
    return true;
};

This hook will remove the button for password reset in the user preferences panel:

$wgHooks['GetPreferences'][] = function ( $user, &$preferences ) {
    unset( $preferences['password'] );
    return true;
};

Finally, the easiest way to disable a password and credentials change is to disable the corresponding special pages:

$wgHooks['SpecialPage_initList'][] = function ( &$list ) {
    unset( $list['ChangeCredentials'] );
    unset( $list['PasswordReset'] );
    return true;
};
like image 28
Wolfgang Hochleitner Avatar answered Oct 13 '22 07:10

Wolfgang Hochleitner