mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth
synced 2024-12-11 16:16:06 +00:00
329c3133d6
Notify users when 2FA is disabled on their account in case something was fishy about it. This notification is a "system" notification that will be displayed in the web UI and sent over email. It can't be opted out of as a preference. The notification links to Special:Preferences, where users can see their 2FA status and re-enable it if they want. A secondary help link goes to [[mw:Help:Two-factor authentication]], but can be overridden by adjusting the "oathauth-notifications-disable-helplink" message. The notification text is different based on whether the user disabled 2FA on their own, or an admin used the special page or a maint script to do it. On Wikimedia wikis, we'll use the WikimediaMessages extension to customize the messages. The Echo (Notifications) extension is not required, this will gracefully do nothing if it's not enabled. Bug: T210075 Bug: T210963 Change-Id: I99077ea082b8483cc4fd77573a0d00fa98201f15
49 lines
1.6 KiB
PHP
49 lines
1.6 KiB
PHP
<?php
|
|
|
|
use MediaWiki\Extension\OATHAuth\IModule;
|
|
use MediaWiki\MediaWikiServices;
|
|
use MediaWiki\Session\SessionManager;
|
|
|
|
if ( getenv( 'MW_INSTALL_PATH' ) ) {
|
|
$IP = getenv( 'MW_INSTALL_PATH' );
|
|
} else {
|
|
$IP = __DIR__ . '/../../..';
|
|
}
|
|
require_once "$IP/maintenance/Maintenance.php";
|
|
|
|
class DisableOATHAuthForUser extends Maintenance {
|
|
public function __construct() {
|
|
parent::__construct();
|
|
$this->addDescription( 'Remove OATHAuth from a specific user' );
|
|
$this->addArg( 'user', 'The username to remove OATHAuth from.' );
|
|
$this->requireExtension( 'OATHAuth' );
|
|
}
|
|
|
|
public function execute() {
|
|
$username = $this->getArg( 0 );
|
|
|
|
$user = User::newFromName( $username );
|
|
if ( $user && $user->getId() === 0 ) {
|
|
$this->fatalError( "User $username doesn't exist!" );
|
|
}
|
|
|
|
$repo = MediaWikiServices::getInstance()->getService( 'OATHUserRepository' );
|
|
$oathUser = $repo->findByUser( $user );
|
|
$module = $oathUser->getModule();
|
|
if ( !( $module instanceof IModule ) || $module->isEnabled( $oathUser ) === false ) {
|
|
$this->fatalError( "User $username doesn't have OATHAuth enabled!" );
|
|
}
|
|
|
|
$repo->remove( $oathUser, 'Maintenance script', false );
|
|
// Kill all existing sessions. If this disable was social-engineered by an attacker,
|
|
// the legitimate user will hopefully login again and notice that the second factor
|
|
// is missing or different, and alert the operators.
|
|
SessionManager::singleton()->invalidateSessionsForUser( $user );
|
|
|
|
$this->output( "OATHAuth disabled for $username.\n" );
|
|
}
|
|
}
|
|
|
|
$maintClass = DisableOATHAuthForUser::class;
|
|
require_once RUN_MAINTENANCE_IF_MAIN;
|