Convert "Empower" from state-based MFA to one-shot MFA

Summary: Ref T13382. Currently, the "Make Administrator" action in the web UI does state-based MFA. Convert it to one-shot MFA.

Test Plan: Empowered and unempowered a user from the web UI, got one-shot MFA'd. Empowered a user from the CLI, no MFA issues.

Maniphest Tasks: T13382

Differential Revision: https://secure.phabricator.com/D20729

src/applications/people/controller/PhabricatorPeopleEmpowerController.php

@@ -17,14 +17,8 @@ final class PhabricatorPeopleEmpowerController
 
     $done_uri = $this->getApplicationURI("manage/{$id}/");
 
-    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
-      $viewer,
-      $request,
-      $done_uri);
-
     $validation_exception = null;
-
-    if ($request->isFormPost()) {
+    if ($request->isFormOrHisecPost()) {
       $xactions = array();
       $xactions[] = id(new PhabricatorUserTransaction())
         ->setTransactionType(
@@ -34,7 +28,8 @@ final class PhabricatorPeopleEmpowerController
       $editor = id(new PhabricatorUserTransactionEditor())
         ->setActor($viewer)
         ->setContentSourceFromRequest($request)
-        ->setContinueOnMissingFields(true);
+        ->setContinueOnMissingFields(true)
+        ->setCancelURI($done_uri);
 
       try {
         $editor->applyTransactions($user, $xactions);

src/applications/people/xaction/PhabricatorUserEmpowerTransaction.php

@@ -86,4 +86,11 @@ final class PhabricatorUserEmpowerTransaction
 
     return null;
   }
+
+  public function shouldTryMFA(
+    $object,
+    PhabricatorApplicationTransaction $xaction) {
+    return true;
+  }
+
 }