From 3fde02004968df89470b2b0c3e64891fb69a36d2 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Wed, 30 Apr 2014 17:44:59 -0700
Subject: [PATCH] Make many actions require high security

Summary:
Ref T4398. Protects these actions behind a security barrier:

  - Link external account.
  - Retrieve Conduit token.
  - Reveal Passphrase credential.
  - Create user.
  - Admin/de-admin user.
  - Rename user.
  - Show conduit certificate.
  - Make primary email.
  - Change password.
  - Change VCS password.
  - Add SSH key.
  - Generate SSH key.

Test Plan: Tried to take each action and was prompted for two-factor.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D8921
---
 .../auth/controller/PhabricatorAuthLinkController.php       | 5 +++++
 .../controller/PhabricatorConduitTokenController.php        | 6 +++++-
 .../diffusion/panel/DiffusionSetPasswordPanel.php           | 5 +++++
 .../controller/PassphraseCredentialRevealController.php     | 5 +++++
 .../people/controller/PhabricatorPeopleCreateController.php | 5 +++++
 .../controller/PhabricatorPeopleEmpowerController.php       | 5 +++++
 .../people/controller/PhabricatorPeopleRenameController.php | 5 +++++
 .../settings/panel/PhabricatorSettingsPanelConduit.php      | 5 +++++
 .../panel/PhabricatorSettingsPanelEmailAddresses.php        | 5 +++++
 .../settings/panel/PhabricatorSettingsPanelPassword.php     | 5 +++++
 .../settings/panel/PhabricatorSettingsPanelSSHKeys.php      | 6 ++++++
 11 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/src/applications/auth/controller/PhabricatorAuthLinkController.php b/src/applications/auth/controller/PhabricatorAuthLinkController.php
index 46edb68126..4da0fc1c1f 100644
--- a/src/applications/auth/controller/PhabricatorAuthLinkController.php
+++ b/src/applications/auth/controller/PhabricatorAuthLinkController.php
@@ -83,6 +83,11 @@ final class PhabricatorAuthLinkController
 
     switch ($this->action) {
       case 'link':
+        id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+          $viewer,
+          $request,
+          $panel_uri);
+
         $form = $provider->buildLinkForm($this);
         break;
       case 'refresh':
diff --git a/src/applications/conduit/controller/PhabricatorConduitTokenController.php b/src/applications/conduit/controller/PhabricatorConduitTokenController.php
index 1bb0dfa2b9..62260b9989 100644
--- a/src/applications/conduit/controller/PhabricatorConduitTokenController.php
+++ b/src/applications/conduit/controller/PhabricatorConduitTokenController.php
@@ -7,9 +7,13 @@ final class PhabricatorConduitTokenController
   extends PhabricatorConduitController {
 
   public function processRequest() {
-
     $user = $this->getRequest()->getUser();
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $user,
+      $this->getRequest(),
+      '/');
+
     // Ideally we'd like to verify this, but it's fine to leave it unguarded
     // for now and verifying it would need some Ajax junk or for the user to
     // click a button or similar.
diff --git a/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php b/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
index b9d90c8306..a17241f4c3 100644
--- a/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
+++ b/src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
@@ -26,6 +26,11 @@ final class DiffusionSetPasswordPanel extends PhabricatorSettingsPanel {
     $viewer = $request->getUser();
     $user = $this->getUser();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      '/settings/');
+
     $vcspassword = id(new PhabricatorRepositoryVCSPassword())
       ->loadOneWhere(
         'userPHID = %s',
diff --git a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
index b11b370bbc..d1357c44c2 100644
--- a/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
+++ b/src/applications/passphrase/controller/PassphraseCredentialRevealController.php
@@ -29,6 +29,11 @@ final class PassphraseCredentialRevealController
 
     $view_uri = '/K'.$credential->getID();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      $view_uri);
+
     if ($request->isFormPost()) {
       if ($credential->getSecret()) {
         $body = id(new PHUIFormLayoutView())
diff --git a/src/applications/people/controller/PhabricatorPeopleCreateController.php b/src/applications/people/controller/PhabricatorPeopleCreateController.php
index fe7815b008..498e096199 100644
--- a/src/applications/people/controller/PhabricatorPeopleCreateController.php
+++ b/src/applications/people/controller/PhabricatorPeopleCreateController.php
@@ -7,6 +7,11 @@ final class PhabricatorPeopleCreateController
     $request = $this->getRequest();
     $admin = $request->getUser();
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $admin,
+      $request,
+      $this->getApplicationURI());
+
     $v_type = 'standard';
     if ($request->isFormPost()) {
       $v_type = $request->getStr('type');
diff --git a/src/applications/people/controller/PhabricatorPeopleEmpowerController.php b/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
index 7ee8ffc6c2..8b232ec9bb 100644
--- a/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
+++ b/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
@@ -23,6 +23,11 @@ final class PhabricatorPeopleEmpowerController
 
     $profile_uri = '/p/'.$user->getUsername().'/';
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $admin,
+      $request,
+      $profile_uri);
+
     if ($user->getPHID() == $admin->getPHID()) {
       return $this->newDialog()
         ->setTitle(pht('Your Way is Blocked'))
diff --git a/src/applications/people/controller/PhabricatorPeopleRenameController.php b/src/applications/people/controller/PhabricatorPeopleRenameController.php
index a785f4d249..873ddeeb5f 100644
--- a/src/applications/people/controller/PhabricatorPeopleRenameController.php
+++ b/src/applications/people/controller/PhabricatorPeopleRenameController.php
@@ -23,6 +23,11 @@ final class PhabricatorPeopleRenameController
 
     $profile_uri = '/p/'.$user->getUsername().'/';
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $admin,
+      $request,
+      $profile_uri);
+
     $errors = array();
 
     $v_username = $user->getUsername();
diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelConduit.php b/src/applications/settings/panel/PhabricatorSettingsPanelConduit.php
index df050005c1..8666cfc426 100644
--- a/src/applications/settings/panel/PhabricatorSettingsPanelConduit.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelConduit.php
@@ -23,6 +23,11 @@ final class PhabricatorSettingsPanelConduit
     $user = $this->getUser();
     $viewer = $request->getUser();
 
+    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      '/settings/');
+
     if ($request->isFormPost()) {
       if (!$request->isDialogFormPost()) {
         $dialog = new AphrontDialogView();
diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php b/src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
index 9a8d834178..14ad5c04ac 100644
--- a/src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
@@ -330,6 +330,11 @@ final class PhabricatorSettingsPanelEmailAddresses
 
     $user = $request->getUser();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $user,
+      $request,
+      $this->getPanelURI());
+
     // NOTE: You can only make your own verified addresses primary.
     $email = id(new PhabricatorUserEmail())->loadOneWhere(
       'id = %d AND userPHID = %s AND isVerified = 1 AND isPrimary = 0',
diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
index bc229fbaab..daccdd28be 100644
--- a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
@@ -35,6 +35,11 @@ final class PhabricatorSettingsPanelPassword
   public function processRequest(AphrontRequest $request) {
     $user = $request->getUser();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $user,
+      $request,
+      '/settings/');
+
     $min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
     $min_len = (int)$min_len;
 
diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php b/src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php
index 8ab4a4da6a..1f3418ed72 100644
--- a/src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php
+++ b/src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php
@@ -276,6 +276,12 @@ final class PhabricatorSettingsPanelSSHKeys
     $user = $this->getUser();
     $viewer = $request->getUser();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      $this->getPanelURI());
+
+
     $is_self = ($user->getPHID() == $viewer->getPHID());
 
     if ($request->isFormPost()) {