1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 08:42:41 +01:00

During first-time setup, create an administrator account with no authentication instead of weird, detached authentication

Summary:
Ref T6703. Currently, when you create an account on a new install, we prompt you to select a password.

You can't actually use that password unless you set up a password provider, and that password can't be associated with a provider since a password provider won't exist yet.

Instead, just don't ask for a password: create an account with a username and an email address only. Setup guidance points you toward Auth.

If you lose the session, you can send yourself an email link (if email works yet) or `bin/auth recover` it. This isn't really much different than the pre-change behavior, since you can't use the password you set anyway until you configure password auth.

This also makes fixing T9512 more important, which I'll do in a followup. I also plan to add slightly better guideposts toward Auth.

Test Plan: Hit first-time setup, created an account.

Reviewers: amckinley

Reviewed By: amckinley

Subscribers: revi

Maniphest Tasks: T6703

Differential Revision: https://secure.phabricator.com/D20111
This commit is contained in:
epriestley 2019-02-06 12:59:55 -08:00
parent 378a43d09c
commit 55c18bc900
4 changed files with 89 additions and 68 deletions

View file

@ -21,7 +21,9 @@ final class PhabricatorAuthRegisterController
list($account, $provider, $response) = $result; list($account, $provider, $response) = $result;
$is_default = false; $is_default = false;
} else if ($this->isFirstTimeSetup()) { } else if ($this->isFirstTimeSetup()) {
list($account, $provider, $response) = $this->loadSetupAccount(); $account = null;
$provider = null;
$response = null;
$is_default = true; $is_default = true;
$is_setup = true; $is_setup = true;
} else { } else {
@ -35,6 +37,7 @@ final class PhabricatorAuthRegisterController
$invite = $this->loadInvite(); $invite = $this->loadInvite();
if (!$is_setup) {
if (!$provider->shouldAllowRegistration()) { if (!$provider->shouldAllowRegistration()) {
if ($invite) { if ($invite) {
// If the user has an invite, we allow them to register with any // If the user has an invite, we allow them to register with any
@ -53,19 +56,25 @@ final class PhabricatorAuthRegisterController
$provider->getProviderName())); $provider->getProviderName()));
} }
} }
}
$errors = array(); $errors = array();
$user = new PhabricatorUser(); $user = new PhabricatorUser();
if ($is_setup) {
$default_username = null;
$default_realname = null;
$default_email = null;
} else {
$default_username = $account->getUsername(); $default_username = $account->getUsername();
$default_realname = $account->getRealName(); $default_realname = $account->getRealName();
$default_email = $account->getEmail();
}
$account_type = PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT; $account_type = PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT;
$content_source = PhabricatorContentSource::newFromRequest($request); $content_source = PhabricatorContentSource::newFromRequest($request);
$default_email = $account->getEmail();
if ($invite) { if ($invite) {
$default_email = $invite->getEmailAddress(); $default_email = $invite->getEmailAddress();
} }
@ -212,7 +221,11 @@ final class PhabricatorAuthRegisterController
$can_edit_email = $profile->getCanEditEmail(); $can_edit_email = $profile->getCanEditEmail();
$can_edit_realname = $profile->getCanEditRealName(); $can_edit_realname = $profile->getCanEditRealName();
if ($is_setup) {
$must_set_password = false;
} else {
$must_set_password = $provider->shouldRequireRegistrationPassword(); $must_set_password = $provider->shouldRequireRegistrationPassword();
}
$can_edit_anything = $profile->getCanEditAnything() || $must_set_password; $can_edit_anything = $profile->getCanEditAnything() || $must_set_password;
$force_verify = $profile->getShouldVerifyEmail(); $force_verify = $profile->getShouldVerifyEmail();
@ -334,10 +347,12 @@ final class PhabricatorAuthRegisterController
} }
if (!$errors) { if (!$errors) {
if (!$is_setup) {
$image = $this->loadProfilePicture($account); $image = $this->loadProfilePicture($account);
if ($image) { if ($image) {
$user->setProfileImagePHID($image->getPHID()); $user->setProfileImagePHID($image->getPHID());
} }
}
try { try {
$verify_email = false; $verify_email = false;
@ -346,6 +361,7 @@ final class PhabricatorAuthRegisterController
$verify_email = true; $verify_email = true;
} }
if (!$is_setup) {
if ($value_email === $default_email) { if ($value_email === $default_email) {
if ($account->getEmailVerified()) { if ($account->getEmailVerified()) {
$verify_email = true; $verify_email = true;
@ -359,6 +375,7 @@ final class PhabricatorAuthRegisterController
$verify_email = true; $verify_email = true;
} }
} }
}
$email_obj = null; $email_obj = null;
if ($invite) { if ($invite) {
@ -438,9 +455,11 @@ final class PhabricatorAuthRegisterController
$transaction_editor->applyTransactions($user, $xactions); $transaction_editor->applyTransactions($user, $xactions);
} }
if (!$is_setup) {
$account->setUserPHID($user->getPHID()); $account->setUserPHID($user->getPHID());
$provider->willRegisterAccount($account); $provider->willRegisterAccount($account);
$account->save(); $account->save();
}
$user->saveTransaction(); $user->saveTransaction();
@ -501,7 +520,6 @@ final class PhabricatorAuthRegisterController
->setAuthProvider($provider))); ->setAuthProvider($provider)));
} }
if ($can_edit_username) { if ($can_edit_username) {
$form->appendChild( $form->appendChild(
id(new AphrontFormTextControl()) id(new AphrontFormTextControl())
@ -595,7 +613,7 @@ final class PhabricatorAuthRegisterController
pht( pht(
'Installation is complete. Register your administrator account '. 'Installation is complete. Register your administrator account '.
'below to log in. You will be able to configure options and add '. 'below to log in. You will be able to configure options and add '.
'other authentication mechanisms (like LDAP or OAuth) later on.')); 'authentication mechanisms later on.'));
} }
$object_box = id(new PHUIObjectBoxView()) $object_box = id(new PHUIObjectBoxView())
@ -612,7 +630,8 @@ final class PhabricatorAuthRegisterController
$view = id(new PHUITwoColumnView()) $view = id(new PHUITwoColumnView())
->setHeader($header) ->setHeader($header)
->setFooter(array( ->setFooter(
array(
$welcome_view, $welcome_view,
$invite_header, $invite_header,
$object_box, $object_box,
@ -657,19 +676,6 @@ final class PhabricatorAuthRegisterController
return array($account, $provider, $response); return array($account, $provider, $response);
} }
private function loadSetupAccount() {
$provider = new PhabricatorPasswordAuthProvider();
$provider->attachProviderConfig(
id(new PhabricatorAuthProviderConfig())
->setShouldAllowRegistration(1)
->setShouldAllowLogin(1)
->setIsEnabled(true));
$account = $provider->getDefaultExternalAccount();
$response = null;
return array($account, $provider, $response);
}
private function loadProfilePicture(PhabricatorExternalAccount $account) { private function loadProfilePicture(PhabricatorExternalAccount $account) {
$phid = $account->getProfileImagePHID(); $phid = $account->getProfileImagePHID();
if (!$phid) { if (!$phid) {

View file

@ -557,7 +557,7 @@ final class PhabricatorUser
public static function describeValidUsername() { public static function describeValidUsername() {
return pht( return pht(
'Usernames must contain only numbers, letters, period, underscore and '. 'Usernames must contain only numbers, letters, period, underscore, and '.
'hyphen, and can not end with a period. They must have no more than %d '. 'hyphen, and can not end with a period. They must have no more than %d '.
'characters.', 'characters.',
new PhutilNumber(self::MAXIMUM_USERNAME_LENGTH)); new PhutilNumber(self::MAXIMUM_USERNAME_LENGTH));

View file

@ -83,9 +83,8 @@ final class PhabricatorUserEmail extends PhabricatorUserDAO {
*/ */
public static function describeValidAddresses() { public static function describeValidAddresses() {
return pht( return pht(
"Email addresses should be in the form '%s'. The maximum ". 'Email addresses should be in the form "user@domain.com". The maximum '.
"length of an email address is %s character(s).", 'length of an email address is %s characters.',
'user@domain.com',
new PhutilNumber(self::MAX_ADDRESS_LENGTH)); new PhutilNumber(self::MAX_ADDRESS_LENGTH));
} }

View file

@ -3,7 +3,8 @@
Describes how to configure user access to Phabricator. Describes how to configure user access to Phabricator.
= Overview = Overview
========
Phabricator supports a number of login systems. You can enable or disable these Phabricator supports a number of login systems. You can enable or disable these
systems to configure who can register for and access your install, and how users systems to configure who can register for and access your install, and how users
@ -28,24 +29,37 @@ After you add a provider, you can link it to existing accounts (for example,
associate an existing Phabricator account with a GitHub OAuth account) or users associate an existing Phabricator account with a GitHub OAuth account) or users
can use it to register new accounts (assuming you enable these options). can use it to register new accounts (assuming you enable these options).
= Recovering Inaccessible Accounts =
Recovering Inaccessible Accounts
================================
If you accidentally lock yourself out of Phabricator (for example, by disabling If you accidentally lock yourself out of Phabricator (for example, by disabling
all authentication providers), you can use the `bin/auth` all authentication providers), you can normally use the "send a login link"
script to recover access to an account. To recover access, run: action from the login screen to email yourself a login link and regain access
to your account.
If that isn't working (perhaps because you haven't configured email yet), you
can use the `bin/auth` script to recover access to an account. To recover
access, run:
```
phabricator/ $ ./bin/auth recover <username> phabricator/ $ ./bin/auth recover <username>
```
...where `<username>` is the account username you want to recover access ...where `<username>` is the account username you want to recover access
to. This will generate a link which will log you in as the specified user. to. This will generate a link which will log you in as the specified user.
= Managing Accounts with the Web Console =
Managing Accounts with the Web Console
======================================
To manage accounts from the web, login as an administrator account and go to To manage accounts from the web, login as an administrator account and go to
`/people/` or click "People" on the homepage. Provided you're an admin, `/people/` or click "People" on the homepage. Provided you're an admin,
you'll see options to create or edit accounts. you'll see options to create or edit accounts.
= Manually Creating New Accounts =
Manually Creating New Accounts
==============================
There are two ways to manually create new accounts: via the web UI using There are two ways to manually create new accounts: via the web UI using
the "People" application (this is easiest), or via the CLI using the the "People" application (this is easiest), or via the CLI using the
@ -60,7 +74,9 @@ the CLI. You can also use this script to make a user
an administrator (if you accidentally remove your admin flag) or to create an an administrator (if you accidentally remove your admin flag) or to create an
administrative account. administrative account.
= Next Steps =
Next Steps
==========
Continue by: Continue by: