recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Tell users to "Wait Patiently" for admin account verification later in the registration process

Summary:
Depends on D18790. Ref T13024. Fixes T8335. Currently, "unapproved" and "disabled" users are bundled together. This prevents users from completing some registration steps (verification, legalpad documents, MFA enrollment) before approval.

Separate approval out and move it to the end so users can do all the required enrollment stuff on their end before we roadblock them.

Test Plan: Required approval, email verification, signatures, and MFA. Registered an account. Verified email, signed documents, enrolled in MFA, and then got prompted to wait for approval.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13024, T8335

Differential Revision: https://secure.phabricator.com/D18791

epriestley ab0f61aa c7718d3a

+26 -7
+12
src/applications/auth/controller/PhabricatorAuthNeedsMultiFactorController.php
··· 9 9 return false; 10 10 } 11 11 12 + public function shouldRequireEnabledUser() { 13 + // Users who haven't been approved yet are allowed to enroll in MFA. We'll 14 + // kick disabled users out later. 15 + return false; 16 + } 17 + 12 18 public function handleRequest(AphrontRequest $request) { 13 19 $viewer = $this->getViewer(); 20 + 21 + if ($viewer->getIsDisabled()) { 22 + // We allowed unapproved and disabled users to hit this controller, but 23 + // want to kick out disabled users now. 24 + return new Aphront400Response(); 25 + } 14 26 15 27 $panel = id(new PhabricatorMultiFactorSettingsPanel()) 16 28 ->setUser($viewer)
+11 -4
src/applications/base/controller/PhabricatorController.php
··· 137 137 } 138 138 139 139 if ($this->shouldRequireEnabledUser()) { 140 - if ($user->isLoggedIn() && !$user->getIsApproved()) { 141 - $controller = new PhabricatorAuthNeedsApprovalController(); 142 - return $this->delegateToController($controller); 143 - } 144 140 if ($user->getIsDisabled()) { 145 141 $controller = new PhabricatorDisabledUserController(); 146 142 return $this->delegateToController($controller); ··· 232 228 ->setViewer($user) 233 229 ->withPHIDs(array($application->getPHID())) 234 230 ->executeOne(); 231 + } 232 + 233 + // If users need approval, require they wait here. We do this near the 234 + // end so they can take other actions (like verifying email, signing 235 + // documents, and enrolling in MFA) while waiting for an admin to take a 236 + // look at things. See T13024 for more discussion. 237 + if ($this->shouldRequireEnabledUser()) { 238 + if ($user->isLoggedIn() && !$user->getIsApproved()) { 239 + $controller = new PhabricatorAuthNeedsApprovalController(); 240 + return $this->delegateToController($controller); 241 + } 235 242 } 236 243 } 237 244
+3 -3
src/applications/base/controller/__tests__/PhabricatorAccessControlTestCase.php
··· 159 159 $u_unverified, 160 160 $u_admin, 161 161 $u_public, 162 + $u_notapproved, 162 163 ), 163 164 array( 164 165 $u_disabled, 165 - $u_notapproved, 166 166 )); 167 167 168 168 ··· 224 224 )); 225 225 226 226 $this->checkAccess( 227 - pht('Application Controller'), 227 + pht('Application Controller, No Login Required'), 228 228 id(clone $app_controller)->setConfig('login', false), 229 229 $request, 230 230 array( ··· 232 232 $u_unverified, 233 233 $u_admin, 234 234 $u_public, 235 + $u_notapproved, 235 236 ), 236 237 array( 237 238 $u_disabled, 238 - $u_notapproved, 239 239 )); 240 240 } 241 241