Page MenuHomePhabricator

Allow disabling password changes when using an AuthPlugin
Closed, ResolvedPublic

Description

Author: d1capelis

Description:
Writing an authentication extension for Shibboleth
(http://shibboleth.internet2.edu) and found that there doesn't seem to be a
great way to hide the password change field on the preferences page from an
extension... this remedies that.

Fix consists of two patches:
*First patch is against the AuthPlugin class to add another function call
(canSetPassword) that returns whether or not a the passwords can be changed in
the external database.
*Second patch is for the preferences page to check this nd if it finds that it
can't change a password in the external database, not display the password
change form on that page.


Version: unspecified
Severity: enhancement

Details

Reference
bz6006

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:16 PM
bzimport set Reference to bz6006.
bzimport added a subscriber: Unknown Object (MLST).

d1capelis wrote:

Patch against trunk/phase3/includes/AuthPlugin.php

Attached:

d1capelis wrote:

Patch against trunk/phase3/includes/SpecialPreferences.php

Attached:

d1capelis wrote:

I know there was some IRC discussion on the bug, but can someone comment here on
what exactly they'd like to see changed?

robchur wrote:

The patch hides the form controls, but doesn't filter the POST values when the
request is submitted, so there's still scope for the input to be processed.

d1capelis wrote:

Except for the fact that the input is _already_ filtered out.

This just updates the form controls to reflect that the input is going to be
rejected.

robchur wrote:

Fixed in SVN trunk, r15139.

d1capelis wrote:

Verified, removed keywords. Thanks!