recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Make many actions require high security

Summary:
Ref T4398. Protects these actions behind a security barrier:

- Link external account.
- Retrieve Conduit token.
- Reveal Passphrase credential.
- Create user.
- Admin/de-admin user.
- Rename user.
- Show conduit certificate.
- Make primary email.
- Change password.
- Change VCS password.
- Add SSH key.
- Generate SSH key.

Test Plan: Tried to take each action and was prompted for two-factor.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D8921

epriestley 3fde0200 cf3f8cd8

+56 -1
+5
src/applications/auth/controller/PhabricatorAuthLinkController.php
··· 83 83 84 84 switch ($this->action) { 85 85 case 'link': 86 + id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 87 + $viewer, 88 + $request, 89 + $panel_uri); 90 + 86 91 $form = $provider->buildLinkForm($this); 87 92 break; 88 93 case 'refresh':
+5 -1
src/applications/conduit/controller/PhabricatorConduitTokenController.php
··· 7 7 extends PhabricatorConduitController { 8 8 9 9 public function processRequest() { 10 + $user = $this->getRequest()->getUser(); 10 11 11 - $user = $this->getRequest()->getUser(); 12 + id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 13 + $user, 14 + $this->getRequest(), 15 + '/'); 12 16 13 17 // Ideally we'd like to verify this, but it's fine to leave it unguarded 14 18 // for now and verifying it would need some Ajax junk or for the user to
+5
src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
··· 26 26 $viewer = $request->getUser(); 27 27 $user = $this->getUser(); 28 28 29 + $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 30 + $viewer, 31 + $request, 32 + '/settings/'); 33 + 29 34 $vcspassword = id(new PhabricatorRepositoryVCSPassword()) 30 35 ->loadOneWhere( 31 36 'userPHID = %s',
+5
src/applications/passphrase/controller/PassphraseCredentialRevealController.php
··· 29 29 30 30 $view_uri = '/K'.$credential->getID(); 31 31 32 + $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 33 + $viewer, 34 + $request, 35 + $view_uri); 36 + 32 37 if ($request->isFormPost()) { 33 38 if ($credential->getSecret()) { 34 39 $body = id(new PHUIFormLayoutView())
+5
src/applications/people/controller/PhabricatorPeopleCreateController.php
··· 7 7 $request = $this->getRequest(); 8 8 $admin = $request->getUser(); 9 9 10 + id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 11 + $admin, 12 + $request, 13 + $this->getApplicationURI()); 14 + 10 15 $v_type = 'standard'; 11 16 if ($request->isFormPost()) { 12 17 $v_type = $request->getStr('type');
+5
src/applications/people/controller/PhabricatorPeopleEmpowerController.php
··· 23 23 24 24 $profile_uri = '/p/'.$user->getUsername().'/'; 25 25 26 + id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 27 + $admin, 28 + $request, 29 + $profile_uri); 30 + 26 31 if ($user->getPHID() == $admin->getPHID()) { 27 32 return $this->newDialog() 28 33 ->setTitle(pht('Your Way is Blocked'))
+5
src/applications/people/controller/PhabricatorPeopleRenameController.php
··· 23 23 24 24 $profile_uri = '/p/'.$user->getUsername().'/'; 25 25 26 + id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 27 + $admin, 28 + $request, 29 + $profile_uri); 30 + 26 31 $errors = array(); 27 32 28 33 $v_username = $user->getUsername();
+5
src/applications/settings/panel/PhabricatorSettingsPanelConduit.php
··· 23 23 $user = $this->getUser(); 24 24 $viewer = $request->getUser(); 25 25 26 + id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 27 + $viewer, 28 + $request, 29 + '/settings/'); 30 + 26 31 if ($request->isFormPost()) { 27 32 if (!$request->isDialogFormPost()) { 28 33 $dialog = new AphrontDialogView();
+5
src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
··· 330 330 331 331 $user = $request->getUser(); 332 332 333 + $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 334 + $user, 335 + $request, 336 + $this->getPanelURI()); 337 + 333 338 // NOTE: You can only make your own verified addresses primary. 334 339 $email = id(new PhabricatorUserEmail())->loadOneWhere( 335 340 'id = %d AND userPHID = %s AND isVerified = 1 AND isPrimary = 0',
+5
src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
··· 35 35 public function processRequest(AphrontRequest $request) { 36 36 $user = $request->getUser(); 37 37 38 + $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 39 + $user, 40 + $request, 41 + '/settings/'); 42 + 38 43 $min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length'); 39 44 $min_len = (int)$min_len; 40 45
+6
src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php
··· 276 276 $user = $this->getUser(); 277 277 $viewer = $request->getUser(); 278 278 279 + $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 280 + $viewer, 281 + $request, 282 + $this->getPanelURI()); 283 + 284 + 279 285 $is_self = ($user->getPHID() == $viewer->getPHID()); 280 286 281 287 if ($request->isFormPost()) {