Prevent users from changing their passwords in Mediawiki

Question

I am looking for a way to prevent all users to change their password in Mediawiki (because account creation and password change are handled by a central SSO server).

As far as I can see there are two ways for a Mediawiki user to change their password: Using the 'Forgot your password link' from the login page (Best solution would be the ability to show a custom link here) and the ability to change the password in the user preferences.

I have not found a suitable way yet as this seems not be doable by simple configuration in LocalSettings.php.

Any help is very much appreciated.

Answer 1

If you're using a current version of MediaWiki (at the time of this posting 1.32, but this goes back to 1.18) most of the hooks in the accepted answer by Carsten Schmitz are now deprecated or have even been removed, so I'll post a similar solution with currently available hooks (that work with AuthManager).

As usual, add the following lines to LocalSettings.php:

This will remove the links for password reset and help for logging in on the login page. If you want to add another link instead, just replace false with a valid HTML link such as <a href="https://urltopasswordchangesite">I forgot my password</a>:

$wgHooks['AuthChangeFormFields'][] = function ( $requests, $fieldInfo, &$formDescriptor, $action ) {
    if ($action === "login") {
        // Removes the "Help for logging in" link
        $formDescriptor["linkcontainer"]["default"] = false;
        // Removes the actual password reset link
        $formDescriptor["passwordReset"]["default"] = false;
    }
    return true;
};

This hook will remove the button for password reset in the user preferences panel:

$wgHooks['GetPreferences'][] = function ( $user, &$preferences ) {
    unset( $preferences['password'] );
    return true;
};

Finally, the easiest way to disable a password and credentials change is to disable the corresponding special pages:

$wgHooks['SpecialPage_initList'][] = function ( &$list ) {
    unset( $list['ChangeCredentials'] );
    unset( $list['PasswordReset'] );
    return true;
};

Answer 2

I just did this and it was enough to hide the links (mediawiki 1.20.3):

AuthPlugin.php line 176:

change from

public function allowPasswordChange() {
    return true;
}

to

public function allowPasswordChange() {
    return false;
}

Answer 3

It seems there is an extension for that: http://www.mediawiki.org/wiki/Extension:RestrictPasswordChange

Answer 4

After some hacking here is the complete solution. I did not find it anywhere this complete so please give it a thumbs up if it is useful to you:

Customize the ouput of the login screen by putting the following changes into LocalSettings.php

$wgHooks['UserLoginForm'][] = 'lfChangeLoginPage';
function lfChangeLoginPage( &$template ) {
    $template->set('canreset',false); // removes default reset password link
    $template->set('resetlink',false);
    // Use the following line to show your own 'reset password' link above the login fields
    $template->set('link',"<a href='http://www.somedomain.org/lostpassword'>Forgot your password?</a>"); 
    return true;
 }

Disable the reset password page just in case someone knows the direct URL:

// Disallow password reset on password reset page
$wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed';
function MailPasswordIsAllowed ( $username, $error ) {
    $error = wfMsg( 'resetpass_forbidden' );
    return false;
}

Disallow password change on password change page (referred by link in user preferences):

$wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed';
function ChangePasswordIsAllowed ( $user ) {
    throw new PasswordError( wfMsg( 'resetpass_forbidden' ));
    return true;
}

Hide password change link in user preferences:

$wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink';
function RemovePasswordChangeLink ( $user, &$preferences ) {
    unset($preferences['password']);
    return true;
}