mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-26 08:42:41 +01:00
During first-time setup, create an administrator account with no authentication instead of weird, detached authentication
Summary: Ref T6703. Currently, when you create an account on a new install, we prompt you to select a password. You can't actually use that password unless you set up a password provider, and that password can't be associated with a provider since a password provider won't exist yet. Instead, just don't ask for a password: create an account with a username and an email address only. Setup guidance points you toward Auth. If you lose the session, you can send yourself an email link (if email works yet) or `bin/auth recover` it. This isn't really much different than the pre-change behavior, since you can't use the password you set anyway until you configure password auth. This also makes fixing T9512 more important, which I'll do in a followup. I also plan to add slightly better guideposts toward Auth. Test Plan: Hit first-time setup, created an account. Reviewers: amckinley Reviewed By: amckinley Subscribers: revi Maniphest Tasks: T6703 Differential Revision: https://secure.phabricator.com/D20111
This commit is contained in:
parent
378a43d09c
commit
55c18bc900
4 changed files with 89 additions and 68 deletions
|
@ -21,7 +21,9 @@ final class PhabricatorAuthRegisterController
|
||||||
list($account, $provider, $response) = $result;
|
list($account, $provider, $response) = $result;
|
||||||
$is_default = false;
|
$is_default = false;
|
||||||
} else if ($this->isFirstTimeSetup()) {
|
} else if ($this->isFirstTimeSetup()) {
|
||||||
list($account, $provider, $response) = $this->loadSetupAccount();
|
$account = null;
|
||||||
|
$provider = null;
|
||||||
|
$response = null;
|
||||||
$is_default = true;
|
$is_default = true;
|
||||||
$is_setup = true;
|
$is_setup = true;
|
||||||
} else {
|
} else {
|
||||||
|
@ -35,6 +37,7 @@ final class PhabricatorAuthRegisterController
|
||||||
|
|
||||||
$invite = $this->loadInvite();
|
$invite = $this->loadInvite();
|
||||||
|
|
||||||
|
if (!$is_setup) {
|
||||||
if (!$provider->shouldAllowRegistration()) {
|
if (!$provider->shouldAllowRegistration()) {
|
||||||
if ($invite) {
|
if ($invite) {
|
||||||
// If the user has an invite, we allow them to register with any
|
// If the user has an invite, we allow them to register with any
|
||||||
|
@ -53,19 +56,25 @@ final class PhabricatorAuthRegisterController
|
||||||
$provider->getProviderName()));
|
$provider->getProviderName()));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$errors = array();
|
$errors = array();
|
||||||
|
|
||||||
$user = new PhabricatorUser();
|
$user = new PhabricatorUser();
|
||||||
|
|
||||||
|
if ($is_setup) {
|
||||||
|
$default_username = null;
|
||||||
|
$default_realname = null;
|
||||||
|
$default_email = null;
|
||||||
|
} else {
|
||||||
$default_username = $account->getUsername();
|
$default_username = $account->getUsername();
|
||||||
$default_realname = $account->getRealName();
|
$default_realname = $account->getRealName();
|
||||||
|
$default_email = $account->getEmail();
|
||||||
|
}
|
||||||
|
|
||||||
$account_type = PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT;
|
$account_type = PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT;
|
||||||
$content_source = PhabricatorContentSource::newFromRequest($request);
|
$content_source = PhabricatorContentSource::newFromRequest($request);
|
||||||
|
|
||||||
$default_email = $account->getEmail();
|
|
||||||
|
|
||||||
if ($invite) {
|
if ($invite) {
|
||||||
$default_email = $invite->getEmailAddress();
|
$default_email = $invite->getEmailAddress();
|
||||||
}
|
}
|
||||||
|
@ -212,7 +221,11 @@ final class PhabricatorAuthRegisterController
|
||||||
$can_edit_email = $profile->getCanEditEmail();
|
$can_edit_email = $profile->getCanEditEmail();
|
||||||
$can_edit_realname = $profile->getCanEditRealName();
|
$can_edit_realname = $profile->getCanEditRealName();
|
||||||
|
|
||||||
|
if ($is_setup) {
|
||||||
|
$must_set_password = false;
|
||||||
|
} else {
|
||||||
$must_set_password = $provider->shouldRequireRegistrationPassword();
|
$must_set_password = $provider->shouldRequireRegistrationPassword();
|
||||||
|
}
|
||||||
|
|
||||||
$can_edit_anything = $profile->getCanEditAnything() || $must_set_password;
|
$can_edit_anything = $profile->getCanEditAnything() || $must_set_password;
|
||||||
$force_verify = $profile->getShouldVerifyEmail();
|
$force_verify = $profile->getShouldVerifyEmail();
|
||||||
|
@ -334,10 +347,12 @@ final class PhabricatorAuthRegisterController
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!$errors) {
|
if (!$errors) {
|
||||||
|
if (!$is_setup) {
|
||||||
$image = $this->loadProfilePicture($account);
|
$image = $this->loadProfilePicture($account);
|
||||||
if ($image) {
|
if ($image) {
|
||||||
$user->setProfileImagePHID($image->getPHID());
|
$user->setProfileImagePHID($image->getPHID());
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$verify_email = false;
|
$verify_email = false;
|
||||||
|
@ -346,6 +361,7 @@ final class PhabricatorAuthRegisterController
|
||||||
$verify_email = true;
|
$verify_email = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!$is_setup) {
|
||||||
if ($value_email === $default_email) {
|
if ($value_email === $default_email) {
|
||||||
if ($account->getEmailVerified()) {
|
if ($account->getEmailVerified()) {
|
||||||
$verify_email = true;
|
$verify_email = true;
|
||||||
|
@ -359,6 +375,7 @@ final class PhabricatorAuthRegisterController
|
||||||
$verify_email = true;
|
$verify_email = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$email_obj = null;
|
$email_obj = null;
|
||||||
if ($invite) {
|
if ($invite) {
|
||||||
|
@ -438,9 +455,11 @@ final class PhabricatorAuthRegisterController
|
||||||
$transaction_editor->applyTransactions($user, $xactions);
|
$transaction_editor->applyTransactions($user, $xactions);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!$is_setup) {
|
||||||
$account->setUserPHID($user->getPHID());
|
$account->setUserPHID($user->getPHID());
|
||||||
$provider->willRegisterAccount($account);
|
$provider->willRegisterAccount($account);
|
||||||
$account->save();
|
$account->save();
|
||||||
|
}
|
||||||
|
|
||||||
$user->saveTransaction();
|
$user->saveTransaction();
|
||||||
|
|
||||||
|
@ -501,7 +520,6 @@ final class PhabricatorAuthRegisterController
|
||||||
->setAuthProvider($provider)));
|
->setAuthProvider($provider)));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
if ($can_edit_username) {
|
if ($can_edit_username) {
|
||||||
$form->appendChild(
|
$form->appendChild(
|
||||||
id(new AphrontFormTextControl())
|
id(new AphrontFormTextControl())
|
||||||
|
@ -595,7 +613,7 @@ final class PhabricatorAuthRegisterController
|
||||||
pht(
|
pht(
|
||||||
'Installation is complete. Register your administrator account '.
|
'Installation is complete. Register your administrator account '.
|
||||||
'below to log in. You will be able to configure options and add '.
|
'below to log in. You will be able to configure options and add '.
|
||||||
'other authentication mechanisms (like LDAP or OAuth) later on.'));
|
'authentication mechanisms later on.'));
|
||||||
}
|
}
|
||||||
|
|
||||||
$object_box = id(new PHUIObjectBoxView())
|
$object_box = id(new PHUIObjectBoxView())
|
||||||
|
@ -612,7 +630,8 @@ final class PhabricatorAuthRegisterController
|
||||||
|
|
||||||
$view = id(new PHUITwoColumnView())
|
$view = id(new PHUITwoColumnView())
|
||||||
->setHeader($header)
|
->setHeader($header)
|
||||||
->setFooter(array(
|
->setFooter(
|
||||||
|
array(
|
||||||
$welcome_view,
|
$welcome_view,
|
||||||
$invite_header,
|
$invite_header,
|
||||||
$object_box,
|
$object_box,
|
||||||
|
@ -657,19 +676,6 @@ final class PhabricatorAuthRegisterController
|
||||||
return array($account, $provider, $response);
|
return array($account, $provider, $response);
|
||||||
}
|
}
|
||||||
|
|
||||||
private function loadSetupAccount() {
|
|
||||||
$provider = new PhabricatorPasswordAuthProvider();
|
|
||||||
$provider->attachProviderConfig(
|
|
||||||
id(new PhabricatorAuthProviderConfig())
|
|
||||||
->setShouldAllowRegistration(1)
|
|
||||||
->setShouldAllowLogin(1)
|
|
||||||
->setIsEnabled(true));
|
|
||||||
|
|
||||||
$account = $provider->getDefaultExternalAccount();
|
|
||||||
$response = null;
|
|
||||||
return array($account, $provider, $response);
|
|
||||||
}
|
|
||||||
|
|
||||||
private function loadProfilePicture(PhabricatorExternalAccount $account) {
|
private function loadProfilePicture(PhabricatorExternalAccount $account) {
|
||||||
$phid = $account->getProfileImagePHID();
|
$phid = $account->getProfileImagePHID();
|
||||||
if (!$phid) {
|
if (!$phid) {
|
||||||
|
|
|
@ -557,7 +557,7 @@ final class PhabricatorUser
|
||||||
|
|
||||||
public static function describeValidUsername() {
|
public static function describeValidUsername() {
|
||||||
return pht(
|
return pht(
|
||||||
'Usernames must contain only numbers, letters, period, underscore and '.
|
'Usernames must contain only numbers, letters, period, underscore, and '.
|
||||||
'hyphen, and can not end with a period. They must have no more than %d '.
|
'hyphen, and can not end with a period. They must have no more than %d '.
|
||||||
'characters.',
|
'characters.',
|
||||||
new PhutilNumber(self::MAXIMUM_USERNAME_LENGTH));
|
new PhutilNumber(self::MAXIMUM_USERNAME_LENGTH));
|
||||||
|
|
|
@ -83,9 +83,8 @@ final class PhabricatorUserEmail extends PhabricatorUserDAO {
|
||||||
*/
|
*/
|
||||||
public static function describeValidAddresses() {
|
public static function describeValidAddresses() {
|
||||||
return pht(
|
return pht(
|
||||||
"Email addresses should be in the form '%s'. The maximum ".
|
'Email addresses should be in the form "user@domain.com". The maximum '.
|
||||||
"length of an email address is %s character(s).",
|
'length of an email address is %s characters.',
|
||||||
'user@domain.com',
|
|
||||||
new PhutilNumber(self::MAX_ADDRESS_LENGTH));
|
new PhutilNumber(self::MAX_ADDRESS_LENGTH));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,8 @@
|
||||||
|
|
||||||
Describes how to configure user access to Phabricator.
|
Describes how to configure user access to Phabricator.
|
||||||
|
|
||||||
= Overview =
|
Overview
|
||||||
|
========
|
||||||
|
|
||||||
Phabricator supports a number of login systems. You can enable or disable these
|
Phabricator supports a number of login systems. You can enable or disable these
|
||||||
systems to configure who can register for and access your install, and how users
|
systems to configure who can register for and access your install, and how users
|
||||||
|
@ -28,24 +29,37 @@ After you add a provider, you can link it to existing accounts (for example,
|
||||||
associate an existing Phabricator account with a GitHub OAuth account) or users
|
associate an existing Phabricator account with a GitHub OAuth account) or users
|
||||||
can use it to register new accounts (assuming you enable these options).
|
can use it to register new accounts (assuming you enable these options).
|
||||||
|
|
||||||
= Recovering Inaccessible Accounts =
|
|
||||||
|
Recovering Inaccessible Accounts
|
||||||
|
================================
|
||||||
|
|
||||||
If you accidentally lock yourself out of Phabricator (for example, by disabling
|
If you accidentally lock yourself out of Phabricator (for example, by disabling
|
||||||
all authentication providers), you can use the `bin/auth`
|
all authentication providers), you can normally use the "send a login link"
|
||||||
script to recover access to an account. To recover access, run:
|
action from the login screen to email yourself a login link and regain access
|
||||||
|
to your account.
|
||||||
|
|
||||||
|
If that isn't working (perhaps because you haven't configured email yet), you
|
||||||
|
can use the `bin/auth` script to recover access to an account. To recover
|
||||||
|
access, run:
|
||||||
|
|
||||||
|
```
|
||||||
phabricator/ $ ./bin/auth recover <username>
|
phabricator/ $ ./bin/auth recover <username>
|
||||||
|
```
|
||||||
|
|
||||||
...where `<username>` is the account username you want to recover access
|
...where `<username>` is the account username you want to recover access
|
||||||
to. This will generate a link which will log you in as the specified user.
|
to. This will generate a link which will log you in as the specified user.
|
||||||
|
|
||||||
= Managing Accounts with the Web Console =
|
|
||||||
|
Managing Accounts with the Web Console
|
||||||
|
======================================
|
||||||
|
|
||||||
To manage accounts from the web, login as an administrator account and go to
|
To manage accounts from the web, login as an administrator account and go to
|
||||||
`/people/` or click "People" on the homepage. Provided you're an admin,
|
`/people/` or click "People" on the homepage. Provided you're an admin,
|
||||||
you'll see options to create or edit accounts.
|
you'll see options to create or edit accounts.
|
||||||
|
|
||||||
= Manually Creating New Accounts =
|
|
||||||
|
Manually Creating New Accounts
|
||||||
|
==============================
|
||||||
|
|
||||||
There are two ways to manually create new accounts: via the web UI using
|
There are two ways to manually create new accounts: via the web UI using
|
||||||
the "People" application (this is easiest), or via the CLI using the
|
the "People" application (this is easiest), or via the CLI using the
|
||||||
|
@ -60,7 +74,9 @@ the CLI. You can also use this script to make a user
|
||||||
an administrator (if you accidentally remove your admin flag) or to create an
|
an administrator (if you accidentally remove your admin flag) or to create an
|
||||||
administrative account.
|
administrative account.
|
||||||
|
|
||||||
= Next Steps =
|
|
||||||
|
Next Steps
|
||||||
|
==========
|
||||||
|
|
||||||
Continue by:
|
Continue by:
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue