All geek questions in one place

Prevent users from changing their passwords in Mediawiki

I am looking for a way to prevent all users from changing their password in Mediawiki (since account creation and password change are handled by a central SSO server).

As far as I can see, there are two ways for a Mediawiki user to change his password: using the "Forgot Password" link on the login page (the best solution would be to show the user link here) and the ability to change the password in the user settings.

I have not yet found a suitable way, as this does not seem to be feasible with a simple configuration in LocalSettings.php.

Any help is greatly appreciated.

+5
source share
4 answers

After some hacking there is a complete solution. I have not found it anywhere in this full scope, so please give it a thumbs up, if that is useful to you:

Customize the login screen output by placing the following changes in LocalSettings.php

$wgHooks['UserLoginForm'][] = 'lfChangeLoginPage'; function lfChangeLoginPage( &$template ) { $template->set('canreset',false); // removes default reset password link $template->set('resetlink',false); // Use the following line to show your own 'reset password' link above the login fields $template->set('link',"<a href='http://www.somedomain.org/lostpassword'>Forgot your password?</a>"); return true; }

Turn off the reset password page just in case someone knows the direct URL:

 // Disallow password reset on password reset page $wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed'; function MailPasswordIsAllowed ( $username, $error ) { $error = wfMsg( 'resetpass_forbidden' ); return false; }

Prohibit changing the password on the password change page (link in the user settings link):

 $wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed'; function ChangePasswordIsAllowed ( $user ) { throw new PasswordError( wfMsg( 'resetpass_forbidden' )); return true; }

Hide the link to change the password in the user settings:

 $wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink'; function RemovePasswordChangeLink ( $user, &$preferences ) { unset($preferences['password']); return true; }
+5
source

There seems to be an extension for this: http://www.mediawiki.org/wiki/Extension:RestrictPasswordChange

0
source

If you are using the current version of MediaWiki (at the time of publication 1.32, but this applies to 1.18), most of the hooks in Karsten Schmitz's accepted answer are now outdated or even deleted, so I will post a similar solution with the currently available hooks (which work with AuthManager )

As usual, add the following lines to LocalSettings.php :

This will remove the password reset links and help log in to the login page. If you want to add another link, just replace false valid HTML link, for example <a href="https://urltopasswordchangesite">I forgot my password</a> :

 $wgHooks['AuthChangeFormFields'][] = function ( $requests, $fieldInfo, &$formDescriptor, $action ) { if ($action === "login") { // Removes the "Help for logging in" link $formDescriptor["linkcontainer"]["default"] = false; // Removes the actual password reset link $formDescriptor["passwordReset"]["default"] = false; } return true; };

This hook will remove the password reset button in the user settings panel:

 $wgHooks['GetPreferences'][] = function ( $user, &$preferences ) { unset( $preferences['password'] ); return true; };

Finally, the easiest way to disable password and credential changes is to disable the corresponding special pages:

 $wgHooks['SpecialPage_initList'][] = function ( &$list ) { unset( $list['ChangeCredentials'] ); unset( $list['PasswordReset'] ); return true; };
0
source

I just did it, and that was enough to hide the links (mediawiki 1.20.3):

AuthPlugin.php line 176:

change

 public function allowPasswordChange() { return true; }

to

 public function allowPasswordChange() { return false; }
-1
source

Source: https://habr.com/ru/post/1484161/

More articles:


All Articles