@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
1<?php
2
3final class PhabricatorAuthProvidersGuidanceEngineExtension
4 extends PhabricatorGuidanceEngineExtension {
5
6 const GUIDANCEKEY = 'core.auth.providers';
7
8 public function canGenerateGuidance(PhabricatorGuidanceContext $context) {
9 return ($context instanceof PhabricatorAuthProvidersGuidanceContext);
10 }
11
12 public function generateGuidance(PhabricatorGuidanceContext $context) {
13 $configs = id(new PhabricatorAuthProviderConfigQuery())
14 ->setViewer(PhabricatorUser::getOmnipotentUser())
15 ->withIsEnabled(true)
16 ->execute();
17
18 $allows_registration = false;
19 foreach ($configs as $config) {
20 $provider = $config->getProvider();
21 if ($provider->shouldAllowRegistration()) {
22 $allows_registration = true;
23 break;
24 }
25 }
26
27 // If no provider allows registration, we don't need provide any warnings
28 // about registration being too open.
29 if (!$allows_registration) {
30 return array();
31 }
32
33 $domains_key = 'auth.email-domains';
34 $domains_link = $this->renderConfigLink($domains_key);
35 $domains_value = PhabricatorEnv::getEnvConfig($domains_key);
36
37 $approval_key = 'auth.require-approval';
38 $approval_link = $this->renderConfigLink($approval_key);
39 $approval_value = PhabricatorEnv::getEnvConfig($approval_key);
40
41 $results = array();
42
43 if ($domains_value) {
44 $message = pht(
45 'This server is configured with an email domain whitelist (in %s), so '.
46 'only users with a verified email address at one of these %s '.
47 'allowed domain(s) will be able to register an account: %s',
48 $domains_link,
49 phutil_count($domains_value),
50 phutil_tag('strong', array(), implode(', ', $domains_value)));
51
52 $results[] = $this->newGuidance('core.auth.email-domains.on')
53 ->setMessage($message);
54 } else {
55 $message = pht(
56 'Anyone who can browse to this server will be able to register '.
57 'an account. To add email domain restrictions, configure %s.',
58 $domains_link);
59
60 $results[] = $this->newGuidance('core.auth.email-domains.off')
61 ->setMessage($message);
62 }
63
64 if ($approval_value) {
65 $message = pht(
66 'Administrative approvals are enabled (in %s), so all new users must '.
67 'have their accounts approved by an administrator.',
68 $approval_link);
69
70 $results[] = $this->newGuidance('core.auth.require-approval.on')
71 ->setMessage($message);
72 } else {
73 $message = pht(
74 'Administrative approvals are disabled, so users who register will '.
75 'be able to use their accounts immediately. To enable approvals, '.
76 'configure %s.',
77 $approval_link);
78
79 $results[] = $this->newGuidance('core.auth.require-approval.off')
80 ->setMessage($message);
81 }
82
83 if (!$domains_value && !$approval_value) {
84 $message = pht(
85 'You can safely ignore these warnings if the install itself has '.
86 'access controls (for example, it is deployed on a VPN) or if all of '.
87 'the configured providers have access controls (for example, they are '.
88 'all private LDAP or OAuth servers).');
89
90 $results[] = $this->newWarning('core.auth.warning')
91 ->setMessage($message);
92 }
93
94 $locked_config_key = 'auth.lock-config';
95 $is_locked = PhabricatorEnv::getEnvConfig($locked_config_key);
96 if ($is_locked) {
97 $message = pht(
98 'Authentication provider configuration is locked, and can not be '.
99 'changed without being unlocked. See the configuration setting %s '.
100 'for details.',
101 phutil_tag(
102 'a',
103 array(
104 'href' => '/config/edit/'.$locked_config_key,
105 ),
106 $locked_config_key));
107
108 $results[] = $this->newWarning('auth.locked-config')
109 ->setPriority(500)
110 ->setMessage($message);
111 }
112
113 return $results;
114 }
115
116 private function renderConfigLink($key) {
117 return phutil_tag(
118 'a',
119 array(
120 'href' => '/config/edit/'.$key.'/',
121 'target' => '_blank',
122 ),
123 $key);
124 }
125
126}