recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Convert "Rename User" from session MFA to one-shot MFA

Summary:
Depends on D20035. Ref T13222.

- Allow individual transactions to request one-shot MFA if available.
- Make "change username" request MFA.

Test Plan:
- Renamed a user, got prompted for MFA, provided it.
- Saw that I no longer remain in high-security after performing the edit.
- Grepped for other uses of `PhabricatorUserUsernameTransaction`, found none.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D20036

epriestley d24e6672 29b4fad9

+49 -20
+2 -6
src/applications/people/controller/PhabricatorPeopleRenameController.php
··· 17 17 18 18 $done_uri = $this->getApplicationURI("manage/{$id}/"); 19 19 20 - id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( 21 - $viewer, 22 - $request, 23 - $done_uri); 24 - 25 20 $validation_exception = null; 26 21 $username = $user->getUsername(); 27 - if ($request->isFormPost()) { 22 + if ($request->isFormOrHisecPost()) { 28 23 $username = $request->getStr('username'); 29 24 $xactions = array(); 30 25 ··· 36 31 $editor = id(new PhabricatorUserTransactionEditor()) 37 32 ->setActor($viewer) 38 33 ->setContentSourceFromRequest($request) 34 + ->setCancelURI($done_uri) 39 35 ->setContinueOnMissingFields(true); 40 36 41 37 try {
+7
src/applications/people/xaction/PhabricatorUserUsernameTransaction.php
··· 89 89 90 90 return null; 91 91 } 92 + 93 + public function shouldTryMFA( 94 + $object, 95 + PhabricatorApplicationTransaction $xaction) { 96 + return true; 97 + } 98 + 92 99 }
+34 -14
src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
··· 4906 4906 PhabricatorLiskDAO $object, 4907 4907 array $xactions) { 4908 4908 4909 - $is_mfa = ($object instanceof PhabricatorEditEngineMFAInterface); 4910 - if (!$is_mfa) { 4911 - return $xactions; 4909 + $has_engine = ($object instanceof PhabricatorEditEngineMFAInterface); 4910 + if ($has_engine) { 4911 + $engine = PhabricatorEditEngineMFAEngine::newEngineForObject($object) 4912 + ->setViewer($this->getActor()); 4913 + $require_mfa = $engine->shouldRequireMFA(); 4914 + $try_mfa = $engine->shouldTryMFA(); 4915 + } else { 4916 + $require_mfa = false; 4917 + $try_mfa = false; 4912 4918 } 4913 4919 4914 - $engine = PhabricatorEditEngineMFAEngine::newEngineForObject($object) 4915 - ->setViewer($this->getActor()); 4916 - $require_mfa = $engine->shouldRequireMFA(); 4920 + // If the user is mentioning an MFA object on another object or creating 4921 + // a relationship like "parent" or "child" to this object, we always 4922 + // allow the edit to move forward without requiring MFA. 4923 + if ($this->getIsInverseEdgeEditor()) { 4924 + return $xactions; 4925 + } 4917 4926 4918 4927 if (!$require_mfa) { 4919 - $try_mfa = $engine->shouldTryMFA(); 4928 + // If the object hasn't already opted into MFA, see if any of the 4929 + // transactions want it. 4930 + if (!$try_mfa) { 4931 + foreach ($xactions as $xaction) { 4932 + $type = $xaction->getTransactionType(); 4933 + 4934 + $xtype = $this->getModularTransactionType($type); 4935 + if ($xtype) { 4936 + $xtype = clone $xtype; 4937 + $xtype->setStorage($xaction); 4938 + if ($xtype->shouldTryMFA($object, $xaction)) { 4939 + $try_mfa = true; 4940 + break; 4941 + } 4942 + } 4943 + } 4944 + } 4945 + 4920 4946 if ($try_mfa) { 4921 4947 $this->setShouldRequireMFA(true); 4922 4948 } 4949 + 4923 4950 return $xactions; 4924 4951 } 4925 4952 ··· 4934 4961 } 4935 4962 4936 4963 if ($has_mfa) { 4937 - return $xactions; 4938 - } 4939 - 4940 - // If the user is mentioning an MFA object on another object or creating 4941 - // a relationship like "parent" or "child" to this object, we allow the 4942 - // edit to move forward without requiring MFA. 4943 - if ($this->getIsInverseEdgeEditor()) { 4944 4964 return $xactions; 4945 4965 } 4946 4966
+6
src/applications/transactions/storage/PhabricatorModularTransactionType.php
··· 425 425 return PhabricatorPolicyCapability::CAN_EDIT; 426 426 } 427 427 428 + public function shouldTryMFA( 429 + $object, 430 + PhabricatorApplicationTransaction $xaction) { 431 + return false; 432 + } 433 + 428 434 }