Issue #3358524 by benjifisher, quietone, smustgrave: Users cannot log in if...

Issue #3358524 by benjifisher, quietone, smustgrave: Users cannot log in if Password Compatibility module is not enabled (cherry picked from commit b119e9b6)

Issue #3358524 by benjifisher, quietone, smustgrave: Users cannot log in if...
9e8d5400 · catch · f3d4f1b7 · 9e8d5400 · 9e8d5400
Commit 9e8d5400 authored 2 years ago by catch
--- a/core/modules/phpass/phpass.info.yml
+++ b/core/modules/phpass/phpass.info.yml
 name: Password Compatibility
 type: module
-description: 'Provides the password checking algorithm for user entities created with Drupal prior to version 10.1.x.'
+description: 'Provides the password checking algorithm for user accounts created with Drupal prior to version 10.1.0.'
 package: Core
 version: VERSION
--- a/core/modules/phpass/phpass.module
+++ b/core/modules/phpass/phpass.module
@@ -2,9 +2,10 @@

 /**
 * @file
- * Provides the password checking algorithm used prior to version 10.1.x.
+ * Provides the password checking algorithm used prior to version 10.1.0.
 */

+use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Routing\RouteMatchInterface;

 /**
@@ -15,8 +16,25 @@ function phpass_help($route_name, RouteMatchInterface $route_match) {
    case 'help.page.phpass':
      $output = '';
      $output .= '<h3>' . t('About') . '</h3>';
-      $output .= '<p>' . t('The Password Compatibility module provides the password checking algorithm for user entities created with Drupal prior to version 10.1.x. For more information, see the <a href=":phpass">online documentation for the Password Compatibility module</a>.', [':phpass' => 'https://www.drupal.org/docs/core-modules-and-themes/core-modules/password-compatibility-module']) . '</p>';
+      $output .= '<p>' . t('The Password Compatibility module provides the password checking algorithm for user accounts created with Drupal prior to version 10.1.0. For more information, see the <a href=":phpass">online documentation for the Password Compatibility module</a>.', [':phpass' => 'https://www.drupal.org/docs/core-modules-and-themes/core-modules/password-compatibility-module']) . '</p>';
+      $output .= '<p>' . t('Drupal 10.1.0 and later use a different algorithm to compute the hashed password. This provides better security against brute-force attacks. The hashed passwords are different from the ones computed with Drupal versions before 10.1.0.') . '</p>';
+      $output .= '<p>' . t('When the Password Compatibility module is installed, a user can log in with a username and password created before Drupal 10.1.0. The first time these credentials are used, a new hash is computed and saved. From then on, the user will be able to log in with the same username and password whether or not this module is installed.') . '</p>';
+      $output .= '<p>' . t('Passwords created before Drupal 10.1.0 <strong>will not work</strong> unless they are used at least once while this module is installed. Make sure that you can log in before uninstalling this module.') . '</p>';
      return $output;

  }
 }
+
+/**
+ * Implements hook_form_FORM_ID_alter() for system_modules_uninstall_confirm_form.
+ */
+function phpass_form_system_modules_uninstall_confirm_form_alter(array &$form, FormStateInterface $form_state): void {
+  $modules = \Drupal::keyValueExpirable('modules_uninstall')
+    ->get(\Drupal::currentUser()->id());
+  if (!in_array('phpass', $modules)) {
+    return;
+  }
+  \Drupal::messenger()->addWarning(t('Make sure that you can log in before uninstalling the Password Compatibility module. For more information, see the <a href=":phpass">online documentation for the Password Compatibility module</a>.', [
+    ':phpass' => 'https://www.drupal.org/docs/core-modules-and-themes/core-modules/password-compatibility-module',
+  ]));
+}