From 5b4fb945a2f8e950d3f3da8ae1fc8127ff887568 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 21 Mar 2018 02:35:28 -0400 Subject: [PATCH] Add htconfig setting to disable password_exposed() --- doc/htconfig.md | 1 + mod/settings.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/htconfig.md b/doc/htconfig.md index 1f1b62bd49..8562adc5fa 100644 --- a/doc/htconfig.md +++ b/doc/htconfig.md @@ -41,6 +41,7 @@ Example: To set the automatic database cleanup process add this line to your .ht * **diaspora_test** (Boolean) - For development only. Disables the message transfer. * **disable_email_validation** (Boolean) - Disables the check if a mail address is in a valid format and can be resolved via DNS. * **disable_url_validation** (Boolean) - Disables the DNS lookup of an URL. +* **disable_password_exposed** (Boolean) - Disable the exposition check against the remote haveibeenpwned API on password change. Default value is false. * **dlogfile - location of the developer log file * **dlogip - restricts develop log writes to requests originating from this IP address * **frontend_worker_timeout** - Value in minutes after we think that a frontend task was killed by the webserver. Default value is 10. diff --git a/mod/settings.php b/mod/settings.php index 162597503c..1473f6d422 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -390,7 +390,7 @@ function settings_post(App $a) $err = true; } - if (User::isPasswordExposed($newpass)) { + if (!$a->getConfigValue('system', 'disable_password_exposed', false) && User::isPasswordExposed($newpass)) { notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL); $err = true; }