Don't prompt to upgrade unset passwords

Summary: Fixes T4463. When your VCS or account password is not set, we test it for upgrade anyway. This doesn't make sense and throws shortly into the process because the empty hash isn't parseable. Instead, only show upgrade prompts when the password exists. Test Plan: - Added a password to an existing account with no password via password reset. - Added a VCS password to an existing account with no VCS password. - Observed no fatals / nonsense behaviors. Reviewers: btrahan, chad Reviewed By: chad CC: aran Maniphest Tasks: T4463 Differential Revision: https://secure.phabricator.com/D8282
2024-12-22 21:40:55 +01:00 · 2014-02-20 08:12:04 -08:00 · 2014-02-20 08:12:04 -08:00 · 55a94d8aba
commit 55a94d8aba
parent 65a3aa0cc7
3 changed files with 19 additions and 10 deletions
--- a/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
+++ b/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
@ -178,11 +178,13 @@ final class DiffusionSetPasswordPanel extends PhabricatorSettingsPanel {
        ->setLabel(pht('Best Available Algorithm'))
        ->setValue(PhabricatorPasswordHasher::getBestAlgorithmName()));

-    if (PhabricatorPasswordHasher::canUpgradeHash($hash_envelope)) {
-      $errors[] = pht(
-        'The strength of your stored VCS password hash can be upgraded. '.
-        'To upgrade, either: use the password to authenticate with a '.
-        'repository; or change your password.');
+    if (strlen($hash_envelope->openEnvelope())) {
+      if (PhabricatorPasswordHasher::canUpgradeHash($hash_envelope)) {
+        $errors[] = pht(
+          'The strength of your stored VCS password hash can be upgraded. '.
+          'To upgrade, either: use the password to authenticate with a '.
+          'repository; or change your password.');
+      }
    }

    $object_box = id(new PHUIObjectBoxView())
--- a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
@ -113,11 +113,13 @@ final class PhabricatorSettingsPanelPassword
    }

    $hash_envelope = new PhutilOpaqueEnvelope($user->getPasswordHash());
-    if (PhabricatorPasswordHasher::canUpgradeHash($hash_envelope)) {
-      $errors[] = pht(
-        'The strength of your stored password hash can be upgraded. '.
-        'To upgrade, either: log out and log in using your password; or '.
-        'change your password.');
+    if (strlen($hash_envelope->openEnvelope())) {
+      if (PhabricatorPasswordHasher::canUpgradeHash($hash_envelope)) {
+        $errors[] = pht(
+          'The strength of your stored password hash can be upgraded. '.
+          'To upgrade, either: log out and log in using your password; or '.
+          'change your password.');
+      }
    }

    $len_caption = null;
--- a/src/infrastructure/util/password/PhabricatorPasswordHasher.php
+++ b/src/infrastructure/util/password/PhabricatorPasswordHasher.php
@ -333,6 +333,11 @@ abstract class PhabricatorPasswordHasher extends Phobject {
   * @task hashing
   */
  public static function canUpgradeHash(PhutilOpaqueEnvelope $hash) {
+    if (!strlen($hash->openEnvelope())) {
+      throw new Exception(
+        pht('Expected a password hash, received nothing!'));
+    }
+
    $current_hasher = self::getHasherForHash($hash);
    $best_hasher = self::getBestHasher();