mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 14:00:56 +01:00
Make many actions require high security
Summary: Ref T4398. Protects these actions behind a security barrier: - Link external account. - Retrieve Conduit token. - Reveal Passphrase credential. - Create user. - Admin/de-admin user. - Rename user. - Show conduit certificate. - Make primary email. - Change password. - Change VCS password. - Add SSH key. - Generate SSH key. Test Plan: Tried to take each action and was prompted for two-factor. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8921
This commit is contained in:
parent
cf3f8cd809
commit
3fde020049
11 changed files with 56 additions and 1 deletions
|
@ -83,6 +83,11 @@ final class PhabricatorAuthLinkController
|
|||
|
||||
switch ($this->action) {
|
||||
case 'link':
|
||||
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$viewer,
|
||||
$request,
|
||||
$panel_uri);
|
||||
|
||||
$form = $provider->buildLinkForm($this);
|
||||
break;
|
||||
case 'refresh':
|
||||
|
|
|
@ -7,9 +7,13 @@ final class PhabricatorConduitTokenController
|
|||
extends PhabricatorConduitController {
|
||||
|
||||
public function processRequest() {
|
||||
|
||||
$user = $this->getRequest()->getUser();
|
||||
|
||||
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$user,
|
||||
$this->getRequest(),
|
||||
'/');
|
||||
|
||||
// Ideally we'd like to verify this, but it's fine to leave it unguarded
|
||||
// for now and verifying it would need some Ajax junk or for the user to
|
||||
// click a button or similar.
|
||||
|
|
|
@ -26,6 +26,11 @@ final class DiffusionSetPasswordPanel extends PhabricatorSettingsPanel {
|
|||
$viewer = $request->getUser();
|
||||
$user = $this->getUser();
|
||||
|
||||
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$viewer,
|
||||
$request,
|
||||
'/settings/');
|
||||
|
||||
$vcspassword = id(new PhabricatorRepositoryVCSPassword())
|
||||
->loadOneWhere(
|
||||
'userPHID = %s',
|
||||
|
|
|
@ -29,6 +29,11 @@ final class PassphraseCredentialRevealController
|
|||
|
||||
$view_uri = '/K'.$credential->getID();
|
||||
|
||||
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$viewer,
|
||||
$request,
|
||||
$view_uri);
|
||||
|
||||
if ($request->isFormPost()) {
|
||||
if ($credential->getSecret()) {
|
||||
$body = id(new PHUIFormLayoutView())
|
||||
|
|
|
@ -7,6 +7,11 @@ final class PhabricatorPeopleCreateController
|
|||
$request = $this->getRequest();
|
||||
$admin = $request->getUser();
|
||||
|
||||
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$admin,
|
||||
$request,
|
||||
$this->getApplicationURI());
|
||||
|
||||
$v_type = 'standard';
|
||||
if ($request->isFormPost()) {
|
||||
$v_type = $request->getStr('type');
|
||||
|
|
|
@ -23,6 +23,11 @@ final class PhabricatorPeopleEmpowerController
|
|||
|
||||
$profile_uri = '/p/'.$user->getUsername().'/';
|
||||
|
||||
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$admin,
|
||||
$request,
|
||||
$profile_uri);
|
||||
|
||||
if ($user->getPHID() == $admin->getPHID()) {
|
||||
return $this->newDialog()
|
||||
->setTitle(pht('Your Way is Blocked'))
|
||||
|
|
|
@ -23,6 +23,11 @@ final class PhabricatorPeopleRenameController
|
|||
|
||||
$profile_uri = '/p/'.$user->getUsername().'/';
|
||||
|
||||
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$admin,
|
||||
$request,
|
||||
$profile_uri);
|
||||
|
||||
$errors = array();
|
||||
|
||||
$v_username = $user->getUsername();
|
||||
|
|
|
@ -23,6 +23,11 @@ final class PhabricatorSettingsPanelConduit
|
|||
$user = $this->getUser();
|
||||
$viewer = $request->getUser();
|
||||
|
||||
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$viewer,
|
||||
$request,
|
||||
'/settings/');
|
||||
|
||||
if ($request->isFormPost()) {
|
||||
if (!$request->isDialogFormPost()) {
|
||||
$dialog = new AphrontDialogView();
|
||||
|
|
|
@ -330,6 +330,11 @@ final class PhabricatorSettingsPanelEmailAddresses
|
|||
|
||||
$user = $request->getUser();
|
||||
|
||||
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$user,
|
||||
$request,
|
||||
$this->getPanelURI());
|
||||
|
||||
// NOTE: You can only make your own verified addresses primary.
|
||||
$email = id(new PhabricatorUserEmail())->loadOneWhere(
|
||||
'id = %d AND userPHID = %s AND isVerified = 1 AND isPrimary = 0',
|
||||
|
|
|
@ -35,6 +35,11 @@ final class PhabricatorSettingsPanelPassword
|
|||
public function processRequest(AphrontRequest $request) {
|
||||
$user = $request->getUser();
|
||||
|
||||
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$user,
|
||||
$request,
|
||||
'/settings/');
|
||||
|
||||
$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
|
||||
$min_len = (int)$min_len;
|
||||
|
||||
|
|
|
@ -276,6 +276,12 @@ final class PhabricatorSettingsPanelSSHKeys
|
|||
$user = $this->getUser();
|
||||
$viewer = $request->getUser();
|
||||
|
||||
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
|
||||
$viewer,
|
||||
$request,
|
||||
$this->getPanelURI());
|
||||
|
||||
|
||||
$is_self = ($user->getPHID() == $viewer->getPHID());
|
||||
|
||||
if ($request->isFormPost()) {
|
||||
|
|
Loading…
Reference in a new issue