Prevent users from changing their passwords in Mediawiki

After some hacking here is the complete solution. I did not find it anywhere this complete so please give it a thumbs up if it is useful to you:

Customize the ouput of the login screen by putting the following changes into LocalSettings.php

$wgHooks['UserLoginForm'][] = 'lfChangeLoginPage';
function lfChangeLoginPage( &$template ) {
    $template->set('canreset',false); // removes default reset password link
    $template->set('resetlink',false);
    // Use the following line to show your own 'reset password' link above the login fields
    $template->set('link',"<a href='http://www.somedomain.org/lostpassword'>Forgot your password?</a>"); 
    return true;
 }

Disable the reset password page just in case someone knows the direct URL:

// Disallow password reset on password reset page
$wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed';
function MailPasswordIsAllowed ( $username, $error ) {
    $error = wfMsg( 'resetpass_forbidden' );
    return false;
}

Disallow password change on password change page (referred by link in user preferences):

$wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed';
function ChangePasswordIsAllowed ( $user ) {
    throw new PasswordError( wfMsg( 'resetpass_forbidden' ));
    return true;
}

Hide password change link in user preferences:

$wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink';
function RemovePasswordChangeLink ( $user, &$preferences ) {
    unset($preferences['password']);
    return true;
}

If you're using a current version of MediaWiki (at the time of this posting 1.32, but this goes back to 1.18) most of the hooks in the accepted answer by Carsten Schmitz are now deprecated or have even been removed, so I'll post a similar solution with currently available hooks (that work with AuthManager).

As usual, add the following lines to LocalSettings.php:

This will remove the links for password reset and help for logging in on the login page. If you want to add another link instead, just replace false with a valid HTML link such as <a href="https://urltopasswordchangesite">I forgot my password</a>:

$wgHooks['AuthChangeFormFields'][] = function ( $requests, $fieldInfo, &$formDescriptor, $action ) {
    if ($action === "login") {
        // Removes the "Help for logging in" link
        $formDescriptor["linkcontainer"]["default"] = false;
        // Removes the actual password reset link
        $formDescriptor["passwordReset"]["default"] = false;
    }
    return true;
};

This hook will remove the button for password reset in the user preferences panel:

$wgHooks['GetPreferences'][] = function ( $user, &$preferences ) {
    unset( $preferences['password'] );
    return true;
};

Finally, the easiest way to disable a password and credentials change is to disable the corresponding special pages:

$wgHooks['SpecialPage_initList'][] = function ( &$list ) {
    unset( $list['ChangeCredentials'] );
    unset( $list['PasswordReset'] );
    return true;
};

Tags:

Mediawiki