From 4a566f9e5d8d2b4539cbed12635aa542f2cfab26 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Thu, 21 Aug 2014 15:35:43 -0700
Subject: [PATCH] Allow passwords to be edited even if `account.editable` is
 `false`

Summary:
Fixes T5900. We have some very old code here which does not let you update your password if the `account.editable` flag is set.

This was approximately introduced in D890, and I think it was mostly copy/pasted at that point. I'm not sure this ever really made sense. The option is not documented as affecting this, for example. In the modern environment of auth providers, it definitely does not make sense.

Instead, always allow users to change passwords if the install has a password provider configured.

Test Plan:
  - Set `account.editable` to false.
  - Used a password reset link.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5900

Differential Revision: https://secure.phabricator.com/D10331
---
 .../PhabricatorAuthOneTimeLoginController.php         |  2 +-
 .../panel/PhabricatorSettingsPanelPassword.php        | 11 ++---------
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
index a40ab02d89..312367d03a 100644
--- a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
+++ b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
@@ -120,7 +120,7 @@ final class PhabricatorAuthOneTimeLoginController
       $next = '/';
       if (!PhabricatorPasswordAuthProvider::getPasswordProvider()) {
         $next = '/settings/panel/external/';
-      } else if (PhabricatorEnv::getEnvConfig('account.editable')) {
+      } else {
 
         // We're going to let the user reset their password without knowing
         // the old one. Generate a one-time token for that.
diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
index eeb9b3410e..8524e5baa0 100644
--- a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
@@ -16,15 +16,8 @@ final class PhabricatorSettingsPanelPassword
   }
 
   public function isEnabled() {
-    // There's no sense in showing a change password panel if the user
-    // can't change their password...
-
-    if (!PhabricatorEnv::getEnvConfig('account.editable')) {
-      return false;
-    }
-
-    // ...or this install doesn't support password authentication at all.
-
+    // There's no sense in showing a change password panel if this install
+    // doesn't support password authentication.
     if (!PhabricatorPasswordAuthProvider::getPasswordProvider()) {
       return false;
     }