During first-time setup, create an administrator account with no authentication instead of weird, detached authentication

+62 -56

src/applications/auth/controller/PhabricatorAuthRegisterController.php

··· 21 21 list($account, $provider, $response) = $result; 22 22 $is_default = false; 23 23 } else if ($this->isFirstTimeSetup()) { 24 - list($account, $provider, $response) = $this->loadSetupAccount(); 24 + $account = null; 25 + $provider = null; 26 + $response = null; 25 27 $is_default = true; 26 28 $is_setup = true; 27 29 } else { ··· 35 37 36 38 $invite = $this->loadInvite(); 37 39 38 - if (!$provider->shouldAllowRegistration()) { 39 - if ($invite) { 40 - // If the user has an invite, we allow them to register with any 41 - // provider, even a login-only provider. 42 - } else { 43 - // TODO: This is a routine error if you click "Login" on an external 44 - // auth source which doesn't allow registration. The error should be 45 - // more tailored. 40 + if (!$is_setup) { 41 + if (!$provider->shouldAllowRegistration()) { 42 + if ($invite) { 43 + // If the user has an invite, we allow them to register with any 44 + // provider, even a login-only provider. 45 + } else { 46 + // TODO: This is a routine error if you click "Login" on an external 47 + // auth source which doesn't allow registration. The error should be 48 + // more tailored. 46 49 47 - return $this->renderError( 48 - pht( 49 - 'The account you are attempting to register with uses an '. 50 - 'authentication provider ("%s") which does not allow '. 51 - 'registration. An administrator may have recently disabled '. 52 - 'registration with this provider.', 53 - $provider->getProviderName())); 50 + return $this->renderError( 51 + pht( 52 + 'The account you are attempting to register with uses an '. 53 + 'authentication provider ("%s") which does not allow '. 54 + 'registration. An administrator may have recently disabled '. 55 + 'registration with this provider.', 56 + $provider->getProviderName())); 57 + } 54 58 } 55 59 } 56 60 ··· 58 62 59 63 $user = new PhabricatorUser(); 60 64 61 - $default_username = $account->getUsername(); 62 - $default_realname = $account->getRealName(); 65 + if ($is_setup) { 66 + $default_username = null; 67 + $default_realname = null; 68 + $default_email = null; 69 + } else { 70 + $default_username = $account->getUsername(); 71 + $default_realname = $account->getRealName(); 72 + $default_email = $account->getEmail(); 73 + } 63 74 64 75 $account_type = PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT; 65 76 $content_source = PhabricatorContentSource::newFromRequest($request); 66 - 67 - $default_email = $account->getEmail(); 68 77 69 78 if ($invite) { 70 79 $default_email = $invite->getEmailAddress(); ··· 212 221 $can_edit_email = $profile->getCanEditEmail(); 213 222 $can_edit_realname = $profile->getCanEditRealName(); 214 223 215 - $must_set_password = $provider->shouldRequireRegistrationPassword(); 224 + if ($is_setup) { 225 + $must_set_password = false; 226 + } else { 227 + $must_set_password = $provider->shouldRequireRegistrationPassword(); 228 + } 216 229 217 230 $can_edit_anything = $profile->getCanEditAnything() || $must_set_password; 218 231 $force_verify = $profile->getShouldVerifyEmail(); ··· 334 347 } 335 348 336 349 if (!$errors) { 337 - $image = $this->loadProfilePicture($account); 338 - if ($image) { 339 - $user->setProfileImagePHID($image->getPHID()); 350 + if (!$is_setup) { 351 + $image = $this->loadProfilePicture($account); 352 + if ($image) { 353 + $user->setProfileImagePHID($image->getPHID()); 354 + } 340 355 } 341 356 342 357 try { ··· 346 361 $verify_email = true; 347 362 } 348 363 349 - if ($value_email === $default_email) { 350 - if ($account->getEmailVerified()) { 351 - $verify_email = true; 352 - } 364 + if (!$is_setup) { 365 + if ($value_email === $default_email) { 366 + if ($account->getEmailVerified()) { 367 + $verify_email = true; 368 + } 353 369 354 - if ($provider->shouldTrustEmails()) { 355 - $verify_email = true; 356 - } 370 + if ($provider->shouldTrustEmails()) { 371 + $verify_email = true; 372 + } 357 373 358 - if ($invite) { 359 - $verify_email = true; 374 + if ($invite) { 375 + $verify_email = true; 376 + } 360 377 } 361 378 } 362 379 ··· 438 455 $transaction_editor->applyTransactions($user, $xactions); 439 456 } 440 457 441 - $account->setUserPHID($user->getPHID()); 442 - $provider->willRegisterAccount($account); 443 - $account->save(); 458 + if (!$is_setup) { 459 + $account->setUserPHID($user->getPHID()); 460 + $provider->willRegisterAccount($account); 461 + $account->save(); 462 + } 444 463 445 464 $user->saveTransaction(); 446 465 ··· 500 519 ->setExternalAccount($account) 501 520 ->setAuthProvider($provider))); 502 521 } 503 - 504 522 505 523 if ($can_edit_username) { 506 524 $form->appendChild( ··· 595 613 pht( 596 614 'Installation is complete. Register your administrator account '. 597 615 'below to log in. You will be able to configure options and add '. 598 - 'other authentication mechanisms (like LDAP or OAuth) later on.')); 616 + 'authentication mechanisms later on.')); 599 617 } 600 618 601 619 $object_box = id(new PHUIObjectBoxView()) ··· 612 630 613 631 $view = id(new PHUITwoColumnView()) 614 632 ->setHeader($header) 615 - ->setFooter(array( 616 - $welcome_view, 617 - $invite_header, 618 - $object_box, 619 - )); 633 + ->setFooter( 634 + array( 635 + $welcome_view, 636 + $invite_header, 637 + $object_box, 638 + )); 620 639 621 640 return $this->newPage() 622 641 ->setTitle($title) ··· 654 673 $provider = head($providers); 655 674 $account = $provider->getDefaultExternalAccount(); 656 675 657 - return array($account, $provider, $response); 658 - } 659 - 660 - private function loadSetupAccount() { 661 - $provider = new PhabricatorPasswordAuthProvider(); 662 - $provider->attachProviderConfig( 663 - id(new PhabricatorAuthProviderConfig()) 664 - ->setShouldAllowRegistration(1) 665 - ->setShouldAllowLogin(1) 666 - ->setIsEnabled(true)); 667 - 668 - $account = $provider->getDefaultExternalAccount(); 669 - $response = null; 670 676 return array($account, $provider, $response); 671 677 } 672 678

+1 -1

src/applications/people/storage/PhabricatorUser.php

··· 557 557 558 558 public static function describeValidUsername() { 559 559 return pht( 560 - 'Usernames must contain only numbers, letters, period, underscore and '. 560 + 'Usernames must contain only numbers, letters, period, underscore, and '. 561 561 'hyphen, and can not end with a period. They must have no more than %d '. 562 562 'characters.', 563 563 new PhutilNumber(self::MAXIMUM_USERNAME_LENGTH));

+2 -3

src/applications/people/storage/PhabricatorUserEmail.php

··· 83 83 */ 84 84 public static function describeValidAddresses() { 85 85 return pht( 86 - "Email addresses should be in the form '%s'. The maximum ". 87 - "length of an email address is %s character(s).", 88 - 'user@domain.com', 86 + 'Email addresses should be in the form "user@domain.com". The maximum '. 87 + 'length of an email address is %s characters.', 89 88 new PhutilNumber(self::MAX_ADDRESS_LENGTH)); 90 89 } 91 90

+24 -8

src/docs/user/configuration/configuring_accounts_and_registration.diviner

··· 3 3 4 4 Describes how to configure user access to Phabricator. 5 5 6 - = Overview = 6 + Overview 7 + ======== 7 8 8 9 Phabricator supports a number of login systems. You can enable or disable these 9 10 systems to configure who can register for and access your install, and how users ··· 28 29 associate an existing Phabricator account with a GitHub OAuth account) or users 29 30 can use it to register new accounts (assuming you enable these options). 30 31 31 - = Recovering Inaccessible Accounts = 32 + 33 + Recovering Inaccessible Accounts 34 + ================================ 32 35 33 36 If you accidentally lock yourself out of Phabricator (for example, by disabling 34 - all authentication providers), you can use the `bin/auth` 35 - script to recover access to an account. To recover access, run: 37 + all authentication providers), you can normally use the "send a login link" 38 + action from the login screen to email yourself a login link and regain access 39 + to your account. 36 40 37 - phabricator/ $ ./bin/auth recover <username> 41 + If that isn't working (perhaps because you haven't configured email yet), you 42 + can use the `bin/auth` script to recover access to an account. To recover 43 + access, run: 44 + 45 + ``` 46 + phabricator/ $ ./bin/auth recover <username> 47 + ``` 38 48 39 49 ...where `<username>` is the account username you want to recover access 40 50 to. This will generate a link which will log you in as the specified user. 41 51 42 - = Managing Accounts with the Web Console = 52 + 53 + Managing Accounts with the Web Console 54 + ====================================== 43 55 44 56 To manage accounts from the web, login as an administrator account and go to 45 57 `/people/` or click "People" on the homepage. Provided you're an admin, 46 58 you'll see options to create or edit accounts. 47 59 48 - = Manually Creating New Accounts = 60 + 61 + Manually Creating New Accounts 62 + ============================== 49 63 50 64 There are two ways to manually create new accounts: via the web UI using 51 65 the "People" application (this is easiest), or via the CLI using the ··· 60 74 an administrator (if you accidentally remove your admin flag) or to create an 61 75 administrative account. 62 76 63 - = Next Steps = 77 + 78 + Next Steps 79 + ========== 64 80 65 81 Continue by: 66 82

Configure Feed

Configure Feed