Add htconfig setting to disable password_exposed()

diff --git a/doc/htconfig.md b/doc/htconfig.md
index 1f1b62bd49cf6262777c432e9f1137c24703c7f6..8562adc5faae0a59847100310dabd1a140d16be8 100644 (file)
--- a/doc/htconfig.md
+++ b/doc/htconfig.md
@@ -41,6 +41,7 @@ Example: To set the automatic database cleanup process add this line to your .ht
 * **diaspora_test** (Boolean) - For development only. Disables the message transfer.
 * **disable_email_validation** (Boolean) - Disables the check if a mail address is in a valid format and can be resolved via DNS.
 * **disable_url_validation** (Boolean) - Disables the DNS lookup of an URL.
+* **disable_password_exposed** (Boolean) - Disable the exposition check against the remote haveibeenpwned API on password change. Default value is false.
 * **dlogfile - location of the developer log file
 * **dlogip - restricts develop log writes to requests originating from this IP address
 * **frontend_worker_timeout** - Value in minutes after we think that a frontend task was killed by the webserver. Default value is 10.

diff --git a/mod/settings.php b/mod/settings.php
index 162597503cd1e5ad3d946f2592705b3e5a3a283c..1473f6d422cd39897ee34b77c1f503cf0aea13c9 100644 (file)
--- a/mod/settings.php
+++ b/mod/settings.php
@@ -390,7 +390,7 @@ function settings_post(App $a)
                        $err = true;
         }
 
-               if (User::isPasswordExposed($newpass)) {
+               if (!$a->getConfigValue('system', 'disable_password_exposed', false) && User::isPasswordExposed($newpass)) {
                        notice(L10n::t('The new password has been exposed in a public data dump, please choose another.') . EOL);
                        $err = true;
                }