2011-02-28 04:47:22 +01:00
|
|
|
<?php
|
|
|
|
|
|
|
|
/*
|
2012-01-16 16:30:28 +01:00
|
|
|
* Copyright 2012 Facebook, Inc.
|
2011-02-28 04:47:22 +01:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2012-03-10 00:46:25 +01:00
|
|
|
final class PhabricatorOAuthDefaultRegistrationController
|
2011-02-28 04:47:22 +01:00
|
|
|
extends PhabricatorOAuthRegistrationController {
|
|
|
|
|
|
|
|
public function processRequest() {
|
|
|
|
$provider = $this->getOAuthProvider();
|
|
|
|
$oauth_info = $this->getOAuthInfo();
|
|
|
|
$request = $this->getRequest();
|
|
|
|
|
|
|
|
$errors = array();
|
|
|
|
$e_username = true;
|
|
|
|
$e_email = true;
|
|
|
|
$e_realname = true;
|
|
|
|
|
|
|
|
$user = new PhabricatorUser();
|
|
|
|
|
|
|
|
$user->setUsername($provider->retrieveUserAccountName());
|
|
|
|
$user->setRealName($provider->retrieveUserRealName());
|
2012-05-07 19:29:33 +02:00
|
|
|
|
|
|
|
$new_email = $provider->retrieveUserEmail();
|
2011-02-28 04:47:22 +01:00
|
|
|
|
Allow restriction of permitted email domains
Summary:
Allow allowed email addresses to be restricted to certain domains. This implies email must be verified.
This probably isn't QUITE ready for prime-time without a few other tweaks (better administrative tools, notably) but we're nearly there.
Test Plan:
- With no restrictions:
- Registered with OAuth
- Created an account with accountadmin
- Added an email
- With restrictions:
- Tried to OAuth register with a restricted address, was prompted to provide a valid one.
- Tried to OAuth register with a valid address, worked fine.
- Tried to accountadmin a restricted address, got blocked.
- Tried to accountadmin a valid address, worked fine.
- Tried to add a restricted address, blocked.
- Tried to add a valid address, worked fine.
- Created a user with People with an invalid address, got blocked.
- Created a user with People with a valid address, worked fine.
Reviewers: btrahan, csilvers
Reviewed By: csilvers
CC: aran, joe, csilvers
Maniphest Tasks: T1184
Differential Revision: https://secure.phabricator.com/D2581
2012-05-26 15:04:35 +02:00
|
|
|
if ($new_email) {
|
|
|
|
// If the user's OAuth provider account has an email address but the
|
|
|
|
// email address domain is not allowed by the Phabricator configuration,
|
|
|
|
// we just pretend the provider did not supply an address.
|
|
|
|
//
|
|
|
|
// For instance, if the user uses Google OAuth and their Google address
|
|
|
|
// is "joe@personal.com" but Phabricator is configured to require users
|
|
|
|
// use "@company.com" addresses, we show a prompt below and tell the user
|
|
|
|
// to provide their "@company.com" address. They can still use the OAuth
|
|
|
|
// account to login, they just need to associate their account with an
|
|
|
|
// allowed address.
|
|
|
|
//
|
|
|
|
// If the OAuth address is fine, we just use it and don't prompt the user.
|
|
|
|
if (!PhabricatorUserEmail::isAllowedAddress($new_email)) {
|
|
|
|
$new_email = null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
$show_email_input = ($new_email === null);
|
|
|
|
|
2011-02-28 04:47:22 +01:00
|
|
|
if ($request->isFormPost()) {
|
|
|
|
|
|
|
|
$user->setUsername($request->getStr('username'));
|
|
|
|
$username = $user->getUsername();
|
|
|
|
if (!strlen($user->getUsername())) {
|
|
|
|
$e_username = 'Required';
|
|
|
|
$errors[] = 'Username is required.';
|
2012-01-16 16:30:28 +01:00
|
|
|
} else if (!PhabricatorUser::validateUsername($username)) {
|
2011-02-28 04:47:22 +01:00
|
|
|
$e_username = 'Invalid';
|
2012-06-06 16:09:05 +02:00
|
|
|
$errors[] = PhabricatorUser::describeValidUsername();
|
2011-02-28 04:47:22 +01:00
|
|
|
} else {
|
|
|
|
$e_username = null;
|
|
|
|
}
|
|
|
|
|
2012-05-07 19:29:33 +02:00
|
|
|
if (!$new_email) {
|
|
|
|
$new_email = trim($request->getStr('email'));
|
|
|
|
if (!$new_email) {
|
2011-02-28 04:47:22 +01:00
|
|
|
$e_email = 'Required';
|
|
|
|
$errors[] = 'Email is required.';
|
|
|
|
} else {
|
|
|
|
$e_email = null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Allow restriction of permitted email domains
Summary:
Allow allowed email addresses to be restricted to certain domains. This implies email must be verified.
This probably isn't QUITE ready for prime-time without a few other tweaks (better administrative tools, notably) but we're nearly there.
Test Plan:
- With no restrictions:
- Registered with OAuth
- Created an account with accountadmin
- Added an email
- With restrictions:
- Tried to OAuth register with a restricted address, was prompted to provide a valid one.
- Tried to OAuth register with a valid address, worked fine.
- Tried to accountadmin a restricted address, got blocked.
- Tried to accountadmin a valid address, worked fine.
- Tried to add a restricted address, blocked.
- Tried to add a valid address, worked fine.
- Created a user with People with an invalid address, got blocked.
- Created a user with People with a valid address, worked fine.
Reviewers: btrahan, csilvers
Reviewed By: csilvers
CC: aran, joe, csilvers
Maniphest Tasks: T1184
Differential Revision: https://secure.phabricator.com/D2581
2012-05-26 15:04:35 +02:00
|
|
|
if ($new_email) {
|
|
|
|
$email_ok = PhabricatorUserEmail::isAllowedAddress($new_email);
|
|
|
|
if (!$email_ok) {
|
|
|
|
$e_email = 'Invalid';
|
|
|
|
$errors[] = PhabricatorUserEmail::describeAllowedAddresses();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-05-07 02:01:00 +02:00
|
|
|
if (!strlen($user->getRealName())) {
|
2011-02-28 04:47:22 +01:00
|
|
|
$user->setRealName($request->getStr('realname'));
|
2011-05-07 02:01:00 +02:00
|
|
|
if (!strlen($user->getRealName())) {
|
2011-02-28 04:47:22 +01:00
|
|
|
$e_realname = 'Required';
|
|
|
|
$errors[] = 'Real name is required.';
|
|
|
|
} else {
|
|
|
|
$e_realname = null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!$errors) {
|
2011-02-28 19:15:42 +01:00
|
|
|
$image = $provider->retrieveUserProfileImage();
|
2011-02-28 04:47:22 +01:00
|
|
|
if ($image) {
|
|
|
|
$file = PhabricatorFile::newFromFileData(
|
|
|
|
$image,
|
|
|
|
array(
|
2011-07-08 06:17:00 +02:00
|
|
|
'name' => $provider->getProviderKey().'-profile.jpg',
|
|
|
|
'authorPHID' => $user->getPHID(),
|
2011-02-28 04:47:22 +01:00
|
|
|
));
|
|
|
|
$user->setProfileImagePHID($file->getPHID());
|
|
|
|
}
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
2012-05-07 19:29:33 +02:00
|
|
|
// NOTE: We don't verify OAuth email addresses by default because
|
|
|
|
// OAuth providers might associate email addresses with accounts that
|
|
|
|
// haven't actually verified they own them. We could selectively
|
|
|
|
// auto-verify some providers that we trust here, but the stakes for
|
|
|
|
// verifying an email address are high because having a corporate
|
|
|
|
// address at a company is sometimes the key to the castle.
|
|
|
|
|
2012-05-25 16:30:44 +02:00
|
|
|
|
|
|
|
$email_obj = id(new PhabricatorUserEmail())
|
2012-05-07 19:29:33 +02:00
|
|
|
->setAddress($new_email)
|
2012-05-25 16:30:44 +02:00
|
|
|
->setIsVerified(0);
|
|
|
|
|
|
|
|
id(new PhabricatorUserEditor())
|
|
|
|
->setActor($user)
|
|
|
|
->createNewUser($user, $email_obj);
|
2012-05-07 19:29:33 +02:00
|
|
|
|
2011-02-28 04:47:22 +01:00
|
|
|
$oauth_info->setUserID($user->getID());
|
|
|
|
$oauth_info->save();
|
|
|
|
|
|
|
|
$session_key = $user->establishSession('web');
|
|
|
|
$request->setCookie('phusr', $user->getUsername());
|
|
|
|
$request->setCookie('phsid', $session_key);
|
2012-05-07 19:29:33 +02:00
|
|
|
|
2012-05-25 16:30:44 +02:00
|
|
|
$email_obj->sendVerificationEmail($user);
|
2012-05-07 19:29:33 +02:00
|
|
|
|
2011-02-28 04:47:22 +01:00
|
|
|
return id(new AphrontRedirectResponse())->setURI('/');
|
|
|
|
} catch (AphrontQueryDuplicateKeyException $exception) {
|
|
|
|
|
|
|
|
$same_username = id(new PhabricatorUser())->loadOneWhere(
|
|
|
|
'userName = %s',
|
|
|
|
$user->getUserName());
|
|
|
|
|
2012-05-07 19:29:33 +02:00
|
|
|
$same_email = id(new PhabricatorUserEmail())->loadOneWhere(
|
|
|
|
'address = %s',
|
|
|
|
$new_email);
|
2011-02-28 04:47:22 +01:00
|
|
|
|
|
|
|
if ($same_username) {
|
|
|
|
$e_username = 'Duplicate';
|
|
|
|
$errors[] = 'That username or email is not unique.';
|
|
|
|
} else if ($same_email) {
|
|
|
|
$e_email = 'Duplicate';
|
|
|
|
$errors[] = 'That email is not unique.';
|
|
|
|
} else {
|
|
|
|
throw $exception;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
$error_view = null;
|
|
|
|
if ($errors) {
|
|
|
|
$error_view = new AphrontErrorView();
|
|
|
|
$error_view->setTitle('Registration Failed');
|
|
|
|
$error_view->setErrors($errors);
|
|
|
|
}
|
|
|
|
|
2012-02-08 19:26:04 +01:00
|
|
|
// Strip the URI down to the path, because otherwise we'll trigger
|
|
|
|
// external CSRF protection (by having a protocol in the form "action")
|
|
|
|
// and generate a form with no CSRF token.
|
|
|
|
$action_uri = new PhutilURI($provider->getRedirectURI());
|
|
|
|
$action_path = $action_uri->getPath();
|
|
|
|
|
2011-02-28 04:47:22 +01:00
|
|
|
$form = new AphrontFormView();
|
|
|
|
$form
|
2012-05-09 20:19:06 +02:00
|
|
|
->addHiddenInput('confirm_token', $provider->getAccessToken())
|
2011-02-28 04:47:22 +01:00
|
|
|
->addHiddenInput('expires', $oauth_info->getTokenExpires())
|
2011-03-08 04:29:51 +01:00
|
|
|
->addHiddenInput('state', $this->getOAuthState())
|
2011-02-28 04:47:22 +01:00
|
|
|
->setUser($request->getUser())
|
2012-02-08 19:26:04 +01:00
|
|
|
->setAction($action_path)
|
2011-02-28 04:47:22 +01:00
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormTextControl())
|
|
|
|
->setLabel('Username')
|
|
|
|
->setName('username')
|
|
|
|
->setValue($user->getUsername())
|
|
|
|
->setError($e_username));
|
|
|
|
|
Allow restriction of permitted email domains
Summary:
Allow allowed email addresses to be restricted to certain domains. This implies email must be verified.
This probably isn't QUITE ready for prime-time without a few other tweaks (better administrative tools, notably) but we're nearly there.
Test Plan:
- With no restrictions:
- Registered with OAuth
- Created an account with accountadmin
- Added an email
- With restrictions:
- Tried to OAuth register with a restricted address, was prompted to provide a valid one.
- Tried to OAuth register with a valid address, worked fine.
- Tried to accountadmin a restricted address, got blocked.
- Tried to accountadmin a valid address, worked fine.
- Tried to add a restricted address, blocked.
- Tried to add a valid address, worked fine.
- Created a user with People with an invalid address, got blocked.
- Created a user with People with a valid address, worked fine.
Reviewers: btrahan, csilvers
Reviewed By: csilvers
CC: aran, joe, csilvers
Maniphest Tasks: T1184
Differential Revision: https://secure.phabricator.com/D2581
2012-05-26 15:04:35 +02:00
|
|
|
if ($show_email_input) {
|
2011-02-28 04:47:22 +01:00
|
|
|
$form->appendChild(
|
|
|
|
id(new AphrontFormTextControl())
|
|
|
|
->setLabel('Email')
|
|
|
|
->setName('email')
|
|
|
|
->setValue($request->getStr('email'))
|
Allow restriction of permitted email domains
Summary:
Allow allowed email addresses to be restricted to certain domains. This implies email must be verified.
This probably isn't QUITE ready for prime-time without a few other tweaks (better administrative tools, notably) but we're nearly there.
Test Plan:
- With no restrictions:
- Registered with OAuth
- Created an account with accountadmin
- Added an email
- With restrictions:
- Tried to OAuth register with a restricted address, was prompted to provide a valid one.
- Tried to OAuth register with a valid address, worked fine.
- Tried to accountadmin a restricted address, got blocked.
- Tried to accountadmin a valid address, worked fine.
- Tried to add a restricted address, blocked.
- Tried to add a valid address, worked fine.
- Created a user with People with an invalid address, got blocked.
- Created a user with People with a valid address, worked fine.
Reviewers: btrahan, csilvers
Reviewed By: csilvers
CC: aran, joe, csilvers
Maniphest Tasks: T1184
Differential Revision: https://secure.phabricator.com/D2581
2012-05-26 15:04:35 +02:00
|
|
|
->setCaption(PhabricatorUserEmail::describeAllowedAddresses())
|
2011-02-28 04:47:22 +01:00
|
|
|
->setError($e_email));
|
|
|
|
}
|
|
|
|
|
Allow restriction of permitted email domains
Summary:
Allow allowed email addresses to be restricted to certain domains. This implies email must be verified.
This probably isn't QUITE ready for prime-time without a few other tweaks (better administrative tools, notably) but we're nearly there.
Test Plan:
- With no restrictions:
- Registered with OAuth
- Created an account with accountadmin
- Added an email
- With restrictions:
- Tried to OAuth register with a restricted address, was prompted to provide a valid one.
- Tried to OAuth register with a valid address, worked fine.
- Tried to accountadmin a restricted address, got blocked.
- Tried to accountadmin a valid address, worked fine.
- Tried to add a restricted address, blocked.
- Tried to add a valid address, worked fine.
- Created a user with People with an invalid address, got blocked.
- Created a user with People with a valid address, worked fine.
Reviewers: btrahan, csilvers
Reviewed By: csilvers
CC: aran, joe, csilvers
Maniphest Tasks: T1184
Differential Revision: https://secure.phabricator.com/D2581
2012-05-26 15:04:35 +02:00
|
|
|
if ($provider->retrieveUserRealName() === null) {
|
2011-02-28 04:47:22 +01:00
|
|
|
$form->appendChild(
|
|
|
|
id(new AphrontFormTextControl())
|
|
|
|
->setLabel('Real Name')
|
|
|
|
->setName('realname')
|
|
|
|
->setValue($request->getStr('realname'))
|
|
|
|
->setError($e_realname));
|
|
|
|
}
|
|
|
|
|
|
|
|
$form
|
|
|
|
->appendChild(
|
|
|
|
id(new AphrontFormSubmitControl())
|
|
|
|
->setValue('Create Account'));
|
|
|
|
|
|
|
|
$panel = new AphrontPanelView();
|
|
|
|
$panel->setHeader('Create New Account');
|
|
|
|
$panel->setWidth(AphrontPanelView::WIDTH_FORM);
|
|
|
|
$panel->appendChild($form);
|
|
|
|
|
|
|
|
return $this->buildStandardPageResponse(
|
|
|
|
array(
|
|
|
|
$error_view,
|
|
|
|
$panel,
|
|
|
|
),
|
|
|
|
array(
|
|
|
|
'title' => 'Create New Account',
|
|
|
|
));
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|