search

offspot / wikifundi

Create a pre-configured Mediawiki for offline Wikipedia contribution teaching
11 stars 2 forks source link

Change password policy in config #90

Closed rgaudin closed 5 years ago

rgaudin commented 5 years ago

The default $wgPasswordPolicy makes use of a popular passwords database to prevent users from reusing. It is very annoying for pibox installer as it would require us to reimplement the same rule (reusing their database)…

A quicker fix, acceptable given our use case, is to disable the PasswordCannotBePopular check in $wgPasswordPolicy directly in the LocalSettings.custom.php file.

$wgPasswordPolicy = [
    'policies' => [
        'bureaucrat' => [
            'MinimalPasswordLength' => 8,
            'MinimumPasswordLengthToLogin' => 1,
            'PasswordCannotMatchUsername' => true,
            'PasswordCannotBePopular' => 25,
        ],
        'sysop' => [
            'MinimalPasswordLength' => 8,
            'MinimumPasswordLengthToLogin' => 1,
            'PasswordCannotMatchUsername' => true,
            'PasswordCannotBePopular' => 25,
        ],
        'bot' => [
            'MinimalPasswordLength' => 8,
            'MinimumPasswordLengthToLogin' => 1,
            'PasswordCannotMatchUsername' => true,
        ],
        'default' => [
            'MinimalPasswordLength' => 1,
            'PasswordCannotMatchUsername' => true,
            'PasswordCannotMatchBlacklist' => true,
            'MaximalPasswordLength' => 4096,
        ],
    ],
    'checks' => [
        'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
        'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
        'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
        'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
        'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
        'PasswordCannotBePopular' => 'PasswordPolicyChecks::checkPopularPasswordBlacklist'
    ],
];

ping @kelson42 @florentk

rgaudin commented 5 years ago

You can simply add the following…

unset($wgPasswordPolicy['checks']['PasswordCannotBePopular']);
unset($wgPasswordPolicy['checks']['PasswordCannotMatchBlacklist']);
unset($wgPasswordPolicy['checks']['PasswordCannotMatchUsername']);
unset($wgPasswordPolicy['checks']['MinimalPasswordLength']);
rgaudin commented 5 years ago

My mistake, the above solution does not work, add the following instead:

function WikifundiPasswordPolicy($policyVal, $user, $password) {
    return Status::newGood();
}

$wgPasswordPolicy['checks']['MinimalPasswordLength'] = 'WikifundiPasswordPolicy';
$wgPasswordPolicy['checks']['PasswordCannotMatchUsername'] = 'WikifundiPasswordPolicy';
$wgPasswordPolicy['checks']['PasswordCannotMatchBlacklist'] = 'WikifundiPasswordPolicy';
$wgPasswordPolicy['checks']['PasswordCannotBePopular'] = 'WikifundiPasswordPolicy';