phorge-phorge/src/applications/auth/controller/PhabricatorLogoutController.php

<?php

final class PhabricatorLogoutController
  extends PhabricatorAuthController {

  public function shouldRequireLogin() {
    return true;
  }

  public function shouldRequireEmailVerification() {
    // Allow unverified users to logout.
    return false;
  }

  public function shouldRequireEnabledUser() {
    // Allow disabled users to logout.
    return false;
  }

  public function processRequest() {
    $request = $this->getRequest();
    $user = $request->getUser();

    if ($request->isFormPost()) {

      $log = PhabricatorUserLog::initializeNewLog(
        $user,
        $user->getPHID(),
        PhabricatorUserLog::ACTION_LOGOUT);
      $log->save();

      // Destroy the user's session in the database so logout works even if
      // their cookies have some issues. We'll detect cookie issues when they
      // try to login again and tell them to clear any junk.
      $phsid = $request->getCookie(PhabricatorCookies::COOKIE_SESSION);
      if (strlen($phsid)) {
        $session = id(new PhabricatorAuthSessionQuery())
          ->setViewer($user)
          ->withSessionKeys(array($phsid))
          ->executeOne();
        if ($session) {
          $session->delete();
        }
      }
      $request->clearCookie(PhabricatorCookies::COOKIE_SESSION);

      return id(new AphrontRedirectResponse())
        ->setURI('/login/');
    }

    if ($user->getPHID()) {
      $dialog = id(new AphrontDialogView())
        ->setUser($user)
        ->setTitle(pht('Log out of Phabricator?'))
        ->appendChild(pht('Are you sure you want to log out?'))
        ->addSubmitButton(pht('Logout'))
        ->addCancelButton('/');

      return id(new AphrontDialogResponse())->setDialog($dialog);
    }

    return id(new AphrontRedirectResponse())->setURI('/');
  }

}
CSRF / Logout 2011-01-31 03:52:29 +01:00			`<?php`

Add "final" to all Phabricator "Controller" classes Summary: These are all unambiguously unextensible. Issues I hit: - Maniphest Change/Diff controllers, just consolidated them. - Some search controllers incorrectly extend from "Search" but should extend from "SearchBase". This has no runtime effects. - D1836 introduced a closure, which we don't handle correctly (somewhat on purpose; we target PHP 5.2). See T962. Test Plan: Ran "testEverythingImplemented" unit test to identify classes extending from `final` classes. Resolved issues. Reviewers: btrahan Reviewed By: btrahan CC: aran, epriestley Maniphest Tasks: T795 Differential Revision: https://secure.phabricator.com/D1843 2012-03-10 00:46:25 +01:00			`final class PhabricatorLogoutController`
			`extends PhabricatorAuthController {`
CSRF / Logout 2011-01-31 03:52:29 +01:00
			`public function shouldRequireLogin() {`
			`return true;`
			`}`

Allow installs to require email verification Summary: Allow installs to require users to verify email addresses before they can use Phabricator. If a user logs in without a verified email address, they're given instructions to verify their address. This isn't too useful on its own since we don't actually have arbitrary email registration, but the next step is to allow installs to restrict email to only some domains (e.g., @mycompany.com). Test Plan: - Verification - Set verification requirement to `true`. - Tried to use Phabricator with an unverified account, was told to verify. - Tried to use Conduit, was given a verification error. - Verified account, used Phabricator. - Unverified account, reset password, verified implicit verification, used Phabricator. - People Admin Interface - Viewed as admin. Clicked "Administrate User". - Viewed as non-admin - Sanity Checks - Used Conduit normally from web/CLI with a verified account. - Logged in/out. - Sent password reset email. - Created a new user. - Logged in with an unverified user but with the configuration set to off. Reviewers: btrahan, vrana, jungejason Reviewed By: btrahan CC: aran, csilvers Maniphest Tasks: T1184 Differential Revision: https://secure.phabricator.com/D2520 2012-05-21 21:47:38 +02:00			`public function shouldRequireEmailVerification() {`
			`// Allow unverified users to logout.`
			`return false;`
			`}`

Admin and disabled flags for users Summary: Provide an "isAdmin" flag for users, to designate administrative users. Restore the account editing interface and allow it to set role flags and reset passwords. Provide an "isDisabled" flag for users and shut down all system access for them. Test Plan: Created "admin" and "disabled" users. Did administrative things with the admin user. Tried to do stuff with the disabled user and was rebuffed. Tried to access administrative interfaces with a normal non-admin user and was denied. Reviewed By: aran Reviewers: tuomaspelkonen, jungejason, aran CC: ccheever, aran Differential Revision: 278 2011-05-12 19:06:54 +02:00			`public function shouldRequireEnabledUser() {`
			`// Allow disabled users to logout.`
			`return false;`
			`}`

CSRF / Logout 2011-01-31 03:52:29 +01:00			`public function processRequest() {`
			`$request = $this->getRequest();`
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302 2011-05-18 03:42:21 +02:00			`$user = $request->getUser();`
CSRF / Logout 2011-01-31 03:52:29 +01:00
			`if ($request->isFormPost()) {`
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302 2011-05-18 03:42:21 +02:00
Allow PhabricatorUserLog to store non-user PHIDs Summary: Ref T4310. This is a small step toward separating out the session code so we can establish sessions for `ExternalAccount` and not just `User`. Also fix an issue with strict MySQL and un-admin / un-disable from web UI. Test Plan: Logged in, logged out, admined/de-admin'd user, added email address, checked user log for all those events. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4310 Differential Revision: https://secure.phabricator.com/D7953 2014-01-14 20:05:26 +01:00			`$log = PhabricatorUserLog::initializeNewLog(`
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302 2011-05-18 03:42:21 +02:00			`$user,`
Allow PhabricatorUserLog to store non-user PHIDs Summary: Ref T4310. This is a small step toward separating out the session code so we can establish sessions for `ExternalAccount` and not just `User`. Also fix an issue with strict MySQL and un-admin / un-disable from web UI. Test Plan: Logged in, logged out, admined/de-admin'd user, added email address, checked user log for all those events. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4310 Differential Revision: https://secure.phabricator.com/D7953 2014-01-14 20:05:26 +01:00			`$user->getPHID(),`
Provide an activity log for login and administrative actions Summary: This isn't complete, but I figured I'd ship it for review while it's still smallish. Provide an activity log for high-level system actions (logins, admin actions). This basically allows two things to happen: - The log itself is useful if there are shenanigans. - Password login can check it and start CAPTCHA'ing users after a few failed attempts. I'm going to change how the admin stuff works a little bit too, since right now you can make someone an agent, grab their certificate, revert them back to a normal user, and then act on their behalf over Conduit. This is a little silly, I'm going to move "agent" to the create workflow instead. I'll also add a confirm/email step to the administrative password reset flow. Test Plan: Took various administrative and non-administrative actions, they appeared in the logs. Filtered the logs in a bunch of different ways. Reviewers: jungejason, tuomaspelkonen, aran CC: Differential Revision: 302 2011-05-18 03:42:21 +02:00			`PhabricatorUserLog::ACTION_LOGOUT);`
			`$log->save();`

Nuke sessions from the database when users logout Summary: @tomo ran into an issue where he had some non-SSL-only cookie or whatever, so "Logout" had no apparent effect. Make sure "Logout" really works by destroying the session. I originally kept the sessions around to be able to debug session stuff, but we have a fairly good session log now and no reprorted session bugs except for all the cookie stuff. It's also slightly more secure to actually destroy sessions, since it means "logout" breaks any cookies that attackers somehow stole (e.g., by reading your requests off a public wifi network). Test Plan: Commented out the cookie clear and logged out. I was logged out and given a useful error message about clearing my cookies. Reviewers: jungejason, nh, tuomaspelkonen, aran Reviewed By: aran CC: tomo, aran, epriestley Differential Revision: 911 2011-09-08 23:16:59 +02:00			`// Destroy the user's session in the database so logout works even if`
			`// their cookies have some issues. We'll detect cookie issues when they`
			`// try to login again and tell them to clear any junk.`
Consolidate use of magical cookie name strings Summary: Ref T4339. We have more magical cookie names than we should, move them all to a central location. Test Plan: Registered, logged in, linked account, logged out. See inlines. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4339 Differential Revision: https://secure.phabricator.com/D8041 2014-01-23 23:01:35 +01:00			`$phsid = $request->getCookie(PhabricatorCookies::COOKIE_SESSION);`
			`if (strlen($phsid)) {`
Separate session management from PhabricatorUser Summary: Ref T4310. Ref T3720. Session operations are currently part of PhabricatorUser. This is more tightly coupled than needbe, and makes it difficult to establish login sessions for non-users. Move all the session management code to a `SessionEngine`. Test Plan: - Viewed sessions. - Regenerated Conduit certificate. - Verified Conduit sessions were destroyed. - Logged out. - Logged in. - Ran conduit commands. - Viewed sessions again. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4310, T3720 Differential Revision: https://secure.phabricator.com/D7962 2014-01-14 22:22:27 +01:00			`$session = id(new PhabricatorAuthSessionQuery())`
			`->setViewer($user)`
			`->withSessionKeys(array($phsid))`
			`->executeOne();`
			`if ($session) {`
			`$session->delete();`
			`}`
Nuke sessions from the database when users logout Summary: @tomo ran into an issue where he had some non-SSL-only cookie or whatever, so "Logout" had no apparent effect. Make sure "Logout" really works by destroying the session. I originally kept the sessions around to be able to debug session stuff, but we have a fairly good session log now and no reprorted session bugs except for all the cookie stuff. It's also slightly more secure to actually destroy sessions, since it means "logout" breaks any cookies that attackers somehow stole (e.g., by reading your requests off a public wifi network). Test Plan: Commented out the cookie clear and logged out. I was logged out and given a useful error message about clearing my cookies. Reviewers: jungejason, nh, tuomaspelkonen, aran Reviewed By: aran CC: tomo, aran, epriestley Differential Revision: 911 2011-09-08 23:16:59 +02:00			`}`
Consolidate use of magical cookie name strings Summary: Ref T4339. We have more magical cookie names than we should, move them all to a central location. Test Plan: Registered, logged in, linked account, logged out. See inlines. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4339 Differential Revision: https://secure.phabricator.com/D8041 2014-01-23 23:01:35 +01:00			`$request->clearCookie(PhabricatorCookies::COOKIE_SESSION);`
Nuke sessions from the database when users logout Summary: @tomo ran into an issue where he had some non-SSL-only cookie or whatever, so "Logout" had no apparent effect. Make sure "Logout" really works by destroying the session. I originally kept the sessions around to be able to debug session stuff, but we have a fairly good session log now and no reprorted session bugs except for all the cookie stuff. It's also slightly more secure to actually destroy sessions, since it means "logout" breaks any cookies that attackers somehow stole (e.g., by reading your requests off a public wifi network). Test Plan: Commented out the cookie clear and logged out. I was logged out and given a useful error message about clearing my cookies. Reviewers: jungejason, nh, tuomaspelkonen, aran Reviewed By: aran CC: tomo, aran, epriestley Differential Revision: 911 2011-09-08 23:16:59 +02:00
CSRF / Logout 2011-01-31 03:52:29 +01:00			`return id(new AphrontRedirectResponse())`
			`->setURI('/login/');`
			`}`

Show a "Logout?" dialog when the user goes to /logout/ Summary: Currently, the logout link is this awkward form in the footer since we have to CSRF it. Enable a GET + dialog + confirm workflow instead so the logout link can just be a link instead of this weird mess. Test Plan: Went to /logout/, logged out. Reviewers: btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3066 2012-07-25 22:58:49 +02:00			`if ($user->getPHID()) {`
			`$dialog = id(new AphrontDialogView())`
			`->setUser($user)`
Reasonable pht pass at auth. Summary: Spent some time going through auth stuff for pht's. Test Plan: Tested logging in, logging out, reseting password, using Github, creating a new account. I couldn't quite test everything so will double read the diff when I submit it. Reviewers: epriestley, btrahan Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D4671 2013-01-27 01:17:44 +01:00			`->setTitle(pht('Log out of Phabricator?'))`
Consolidate use of magical cookie name strings Summary: Ref T4339. We have more magical cookie names than we should, move them all to a central location. Test Plan: Registered, logged in, linked account, logged out. See inlines. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4339 Differential Revision: https://secure.phabricator.com/D8041 2014-01-23 23:01:35 +01:00			`->appendChild(pht('Are you sure you want to log out?'))`
Reasonable pht pass at auth. Summary: Spent some time going through auth stuff for pht's. Test Plan: Tested logging in, logging out, reseting password, using Github, creating a new account. I couldn't quite test everything so will double read the diff when I submit it. Reviewers: epriestley, btrahan Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D4671 2013-01-27 01:17:44 +01:00			`->addSubmitButton(pht('Logout'))`
Show a "Logout?" dialog when the user goes to /logout/ Summary: Currently, the logout link is this awkward form in the footer since we have to CSRF it. Enable a GET + dialog + confirm workflow instead so the logout link can just be a link instead of this weird mess. Test Plan: Went to /logout/, logged out. Reviewers: btrahan Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D3066 2012-07-25 22:58:49 +02:00			`->addCancelButton('/');`

			`return id(new AphrontDialogResponse())->setDialog($dialog);`
			`}`

CSRF / Logout 2011-01-31 03:52:29 +01:00			`return id(new AphrontRedirectResponse())->setURI('/');`
			`}`

			`}`