Update account roles documentation and remove actAsUser

-42

src/applications/conduit/controller/PhabricatorConduitAPIController.php

··· 60 60 // CSRF validation or are using a non-web authentication mechanism. 61 61 $allow_unguarded_writes = true; 62 62 63 - if (isset($metadata['actAsUser'])) { 64 - $this->actAsUser($api_request, $metadata['actAsUser']); 65 - } 66 - 67 63 if ($auth_error === null) { 68 64 $conduit_user = $api_request->getUser(); 69 65 if ($conduit_user && $conduit_user->getPHID()) { ··· 161 157 ->setAddJSONShield(false) 162 158 ->setContent($response->toDictionary()); 163 159 } 164 - } 165 - 166 - /** 167 - * Change the api request user to the user that we want to act as. 168 - * Only admins can use actAsUser 169 - * 170 - * @param ConduitAPIRequest Request being executed. 171 - * @param string The username of the user we want to act as 172 - */ 173 - private function actAsUser( 174 - ConduitAPIRequest $api_request, 175 - $user_name) { 176 - 177 - $config_key = 'security.allow-conduit-act-as-user'; 178 - if (!PhabricatorEnv::getEnvConfig($config_key)) { 179 - throw new Exception(pht('%s is disabled.', $config_key)); 180 - } 181 - 182 - if (!$api_request->getUser()->getIsAdmin()) { 183 - throw new Exception( 184 - pht( 185 - 'Only administrators can use %s.', 186 - __FUNCTION__)); 187 - } 188 - 189 - $user = id(new PhabricatorUser())->loadOneWhere( 190 - 'userName = %s', 191 - $user_name); 192 - 193 - if (!$user) { 194 - throw new Exception( 195 - pht( 196 - "The %s username '%s' is not a valid user.", 197 - __FUNCTION__, 198 - $user_name)); 199 - } 200 - 201 - $api_request->setUser($user); 202 160 } 203 161 204 162 /**

+3

src/applications/config/check/PhabricatorExtraConfigSetupCheck.php

··· 271 271 'metamta.maniphest.public-create-email' => $public_mail_reason, 272 272 'metamta.maniphest.default-public-author' => $public_mail_reason, 273 273 'metamta.paste.public-create-email' => $public_mail_reason, 274 + 275 + 'security.allow-conduit-act-as-user' => pht( 276 + 'Impersonating users over the API is no longer supported.'), 274 277 ); 275 278 276 279 return $ancient_config;

-16

src/applications/config/option/PhabricatorSecurityConfigOptions.php

··· 278 278 'unsecured content over plain HTTP. It is very difficult to '. 279 279 'undo this change once users\' browsers have accepted the '. 280 280 'setting.')), 281 - $this->newOption('security.allow-conduit-act-as-user', 'bool', false) 282 - ->setBoolOptions( 283 - array( 284 - pht('Allow'), 285 - pht('Disallow'), 286 - )) 287 - ->setLocked(true) 288 - ->setSummary( 289 - pht('Allow administrators to use the Conduit API as other users.')) 290 - ->setDescription( 291 - pht( 292 - 'DEPRECATED - if you enable this, you are allowing '. 293 - 'administrators to act as any user via the Conduit API. '. 294 - 'Enabling this is not advised as it introduces a huge policy '. 295 - 'violation and has been obsoleted in functionality.')), 296 - 297 281 ); 298 282 } 299 283

+52 -25

src/docs/user/userguide/users.diviner

··· 1 1 @title User Guide: Account Roles 2 2 @group userguide 3 3 4 - Describes account roles like "Administrator", "Disabled" and "Bot". 4 + Describes account roles like "Administrator", "Disabled", "Bot" and "Mailing 5 + List". 5 6 6 - = Overview = 7 + 8 + Overview 9 + ======== 7 10 8 11 When you create a user account, you can set roles like "Administrator", 9 - "Disabled" or "Bot". This document explains what these roles mean. 12 + "Disabled", "Bot" and "Mailing List". This document explains what these roles 13 + mean. 10 14 11 - = Administrators = 12 15 13 - **Administrators** are normal users with a few extra capabilities. Their primary 14 - role is to keep things running smoothly, and they are not all-powerful. In 15 - Phabricator, administrators are more like //janitors//. 16 + Administrators 17 + ============== 18 + 19 + **Administrators** are normal users with a few extra capabilities. Their 20 + primary role is to keep things running smoothly, and they are not all-powerful. 21 + In Phabricator, administrators are more like //janitors//. 16 22 17 23 Administrators can create, delete, enable, disable, and approve user accounts. 18 24 Various applications have a few other capabilities which are reserved for ··· 29 35 can't do much damage, and an attacker who compromises an administrator account 30 36 is limited in what they can accomplish. 31 37 32 - NOTE: Administrators currently //can// act on behalf of other users via Conduit. 33 - This will be locked down at some point. 34 38 35 - = Bot/Script Accounts = 39 + Bot Accounts 40 + ============ 36 41 37 - **Bot/Script** accounts are accounts for bots and scripts which need to 42 + **Bot** ("Robot") accounts are accounts for bots and scripts which need to 38 43 interface with the system, but are not regular users. Generally, when you write 39 - scripts that use Conduit (like the IRC bot), you should create a Bot/Script 40 - account for them. 44 + scripts that use the Conduit API, you should create a bot account for them. 41 45 42 - These accounts were previously called "System Agents", but were renamed to make 43 - things more clear. 44 - 45 - The **Bot/Script** role for an account can not be changed after the account is 46 + The **Bot** role for an account can not be changed after the account is 46 47 created. This prevents administrators form changing a normal user into a bot, 47 48 retrieving their Conduit certificate, and then changing them back (which 48 49 would allow administrators to gain other users' credentials). 49 50 50 - **Bot/Script** accounts differ from normal accounts in that: 51 + **Bot** accounts differ from normal accounts in that: 51 52 53 + - they can not log in to the web UI; 52 54 - administrators can access them, edit settings, and retrieve credentials; 53 55 - they do not receive email; 54 56 - they appear with lower precedence in the UI when selecting users, with 55 57 a "Bot" note (because it usually does not make sense to, for example, 56 58 assign a task to a bot). 57 59 58 - = Disabled Users = 60 + 61 + Mailing Lists 62 + ============= 63 + 64 + **Mailing List** accounts let you represent an existing external mailing list 65 + (like a Google Group or a Mailman list) as a user. You can subscribe this user 66 + to objects (like tasks) to send them mail. 67 + 68 + Because these accounts are also user accounts, they can be added to projects 69 + and affected by policies. The list won't receive mail about anything the 70 + underlying user account can't see. 71 + 72 + The **Mailing List** role for an account can not be changed after the account 73 + is created. 74 + 75 + **Mailing List** accounts differ from normal accounts in that they: 76 + 77 + - can not log in; 78 + - can not access the Conduit API; 79 + - administrators can access them and edit settings; and 80 + - they appear with lower precedence in the UI when selecting users, with 81 + a "Mailing List" note. 82 + 83 + 84 + Disabled Users 85 + ============== 59 86 60 87 **Disabled Users** are accounts that are no longer active. Generally, when 61 88 someone leaves a project (e.g., leaves your company, or their internship or 62 - contract ends) you should disable their account to terminate their access to the 63 - system. Disabled users: 89 + contract ends) you should disable their account to terminate their access to 90 + the system. Disabled users: 64 91 65 92 - can not login; 66 - - can not access Conduit; 93 + - can not access the Conduit API; 67 94 - do not receive email; and 68 95 - appear with lower precedence in the UI when selecting users, with a 69 96 "Disabled" note (because it usually does not make sense to, for example, 70 97 assign a task to a disabled user). 71 98 72 99 While users can also be deleted, it is strongly recommended that you disable 73 - them instead if they interacted with any objects in the system. If you delete a 74 - user entirely, you won't be able to find things they used to own or restore 75 - their data later if they rejoin the project. 100 + them instead, particularly if they interacted with any objects in the system. 101 + If you delete a user entirely, you won't be able to find things they used to 102 + own or restore their data later if they rejoin the project.

Configure Feed

Configure Feed