@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Require high-security session to sign legal documents
Summary: Ref T3116. If you have MFA on your account, require a code to sign a legal document.
Test Plan: Signed legal documents, got checkpointed.
Reviewers: btrahan, chad
Reviewed By: chad
Subscribers: epriestley
Maniphest Tasks: T3116
Differential Revision: https://secure.phabricator.com/D9772
+21
-1
+12
src/aphront/AphrontRequest.php
+12
src/aphront/AphrontRequest.php
···
274
274
return $this->validateCSRF();
275
275
}
276
276
277
+
final public function isFormOrHisecPost() {
278
+
$post = $this->getExists(self::TYPE_FORM) &&
279
+
$this->isHTTPPost();
280
+
281
+
if (!$post) {
282
+
return false;
283
+
}
284
+
285
+
return $this->validateCSRF();
286
+
}
287
+
288
+
277
289
final public function setCookiePrefix($prefix) {
278
290
$this->cookiePrefix = $prefix;
279
291
return $this;
+9
-1
src/applications/legalpad/controller/LegalpadDocumentSignController.php
+9
-1
src/applications/legalpad/controller/LegalpadDocumentSignController.php
···
115
115
$e_agree = null;
116
116
117
117
$errors = array();
118
-
if ($request->isFormPost() && !$has_signed) {
118
+
if ($request->isFormOrHisecPost() && !$has_signed) {
119
+
120
+
// Require two-factor auth to sign legal documents.
121
+
$engine = new PhabricatorAuthSessionEngine();
122
+
$engine->requireHighSecuritySession(
123
+
$viewer,
124
+
$request,
125
+
'/'.$document->getMonogram());
126
+
119
127
$name = $request->getStr('name');
120
128
$agree = $request->getExists('agree');
121
129