recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Ask users to sign Legalpad documents before requiring they enroll in MFA

Summary:
Depends on D18789. Ref T13024. See PHI223. Currently, if `security.require-multi-factor-auth` and Legalpad "Signature Required" documents are //both// set, it's not possible to survive account registration, since MFA is requiried to sign and signatures are required to add MFA.

Instead, check for signatures before requiring MFA enrollment. This makes logical sense, since it's silly to add MFA if you don't agree to a Terms of Service or whatever.

(Note that if you already have MFA, we prompt for that first, before either of these steps, which also makes sense.)

Test Plan: Configured `security.require-multi-factor-auth`. Added a signature-required document. Loaded a page as a new user. Went through signature workflow, then through the MFA enrollment workflow.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13024

Differential Revision: https://secure.phabricator.com/D18790

epriestley c7718d3a e850bc6b

+13 -6
+13 -6
src/applications/base/controller/PhabricatorController.php
··· 160 160 } 161 161 } 162 162 163 + // Require users sign Legalpad documents before we check if they have 164 + // MFA. If we don't do this, they can get stuck in a state where they 165 + // can't add MFA until they sign, and can't sign until they add MFA. 166 + // See T13024 and PHI223. 167 + $result = $this->requireLegalpadSignatures(); 168 + if ($result !== null) { 169 + return $result; 170 + } 171 + 163 172 // Check if the user needs to configure MFA. 164 173 $need_mfa = $this->shouldRequireMultiFactorEnrollment(); 165 174 $have_mfa = $user->getIsEnrolledInMultiFactor(); ··· 224 233 ->withPHIDs(array($application->getPHID())) 225 234 ->executeOne(); 226 235 } 227 - } 228 - 229 - 230 - $result = $this->requireLegalpadSignatures(); 231 - if ($result !== null) { 232 - return $result; 233 236 } 234 237 235 238 // NOTE: We do this last so that users get a login page instead of a 403 ··· 523 526 } 524 527 525 528 private function requireLegalpadSignatures() { 529 + if (!$this->shouldRequireLogin()) { 530 + return null; 531 + } 532 + 526 533 if ($this->shouldAllowLegallyNonCompliantUsers()) { 527 534 return null; 528 535 }