1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 14:00:56 +01:00

Make many actions require high security

Summary:
Ref T4398. Protects these actions behind a security barrier:

  - Link external account.
  - Retrieve Conduit token.
  - Reveal Passphrase credential.
  - Create user.
  - Admin/de-admin user.
  - Rename user.
  - Show conduit certificate.
  - Make primary email.
  - Change password.
  - Change VCS password.
  - Add SSH key.
  - Generate SSH key.

Test Plan: Tried to take each action and was prompted for two-factor.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D8921
This commit is contained in:
epriestley 2014-04-30 17:44:59 -07:00
parent cf3f8cd809
commit 3fde020049
11 changed files with 56 additions and 1 deletions

View file

@ -83,6 +83,11 @@ final class PhabricatorAuthLinkController
switch ($this->action) {
case 'link':
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
$panel_uri);
$form = $provider->buildLinkForm($this);
break;
case 'refresh':

View file

@ -7,9 +7,13 @@ final class PhabricatorConduitTokenController
extends PhabricatorConduitController {
public function processRequest() {
$user = $this->getRequest()->getUser();
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$user,
$this->getRequest(),
'/');
// Ideally we'd like to verify this, but it's fine to leave it unguarded
// for now and verifying it would need some Ajax junk or for the user to
// click a button or similar.

View file

@ -26,6 +26,11 @@ final class DiffusionSetPasswordPanel extends PhabricatorSettingsPanel {
$viewer = $request->getUser();
$user = $this->getUser();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
'/settings/');
$vcspassword = id(new PhabricatorRepositoryVCSPassword())
->loadOneWhere(
'userPHID = %s',

View file

@ -29,6 +29,11 @@ final class PassphraseCredentialRevealController
$view_uri = '/K'.$credential->getID();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
$view_uri);
if ($request->isFormPost()) {
if ($credential->getSecret()) {
$body = id(new PHUIFormLayoutView())

View file

@ -7,6 +7,11 @@ final class PhabricatorPeopleCreateController
$request = $this->getRequest();
$admin = $request->getUser();
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$admin,
$request,
$this->getApplicationURI());
$v_type = 'standard';
if ($request->isFormPost()) {
$v_type = $request->getStr('type');

View file

@ -23,6 +23,11 @@ final class PhabricatorPeopleEmpowerController
$profile_uri = '/p/'.$user->getUsername().'/';
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$admin,
$request,
$profile_uri);
if ($user->getPHID() == $admin->getPHID()) {
return $this->newDialog()
->setTitle(pht('Your Way is Blocked'))

View file

@ -23,6 +23,11 @@ final class PhabricatorPeopleRenameController
$profile_uri = '/p/'.$user->getUsername().'/';
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$admin,
$request,
$profile_uri);
$errors = array();
$v_username = $user->getUsername();

View file

@ -23,6 +23,11 @@ final class PhabricatorSettingsPanelConduit
$user = $this->getUser();
$viewer = $request->getUser();
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
'/settings/');
if ($request->isFormPost()) {
if (!$request->isDialogFormPost()) {
$dialog = new AphrontDialogView();

View file

@ -330,6 +330,11 @@ final class PhabricatorSettingsPanelEmailAddresses
$user = $request->getUser();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$user,
$request,
$this->getPanelURI());
// NOTE: You can only make your own verified addresses primary.
$email = id(new PhabricatorUserEmail())->loadOneWhere(
'id = %d AND userPHID = %s AND isVerified = 1 AND isPrimary = 0',

View file

@ -35,6 +35,11 @@ final class PhabricatorSettingsPanelPassword
public function processRequest(AphrontRequest $request) {
$user = $request->getUser();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$user,
$request,
'/settings/');
$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
$min_len = (int)$min_len;

View file

@ -276,6 +276,12 @@ final class PhabricatorSettingsPanelSSHKeys
$user = $this->getUser();
$viewer = $request->getUser();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
$this->getPanelURI());
$is_self = ($user->getPHID() == $viewer->getPHID());
if ($request->isFormPost()) {