1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 00:32:42 +01:00

During first-time setup, create an administrator account with no authentication instead of weird, detached authentication

Summary:
Ref T6703. Currently, when you create an account on a new install, we prompt you to select a password.

You can't actually use that password unless you set up a password provider, and that password can't be associated with a provider since a password provider won't exist yet.

Instead, just don't ask for a password: create an account with a username and an email address only. Setup guidance points you toward Auth.

If you lose the session, you can send yourself an email link (if email works yet) or `bin/auth recover` it. This isn't really much different than the pre-change behavior, since you can't use the password you set anyway until you configure password auth.

This also makes fixing T9512 more important, which I'll do in a followup. I also plan to add slightly better guideposts toward Auth.

Test Plan: Hit first-time setup, created an account.

Reviewers: amckinley

Reviewed By: amckinley

Subscribers: revi

Maniphest Tasks: T6703

Differential Revision: https://secure.phabricator.com/D20111
This commit is contained in:
epriestley 2019-02-06 12:59:55 -08:00
parent 378a43d09c
commit 55c18bc900
4 changed files with 89 additions and 68 deletions

View file

@ -21,7 +21,9 @@ final class PhabricatorAuthRegisterController
list($account, $provider, $response) = $result;
$is_default = false;
} else if ($this->isFirstTimeSetup()) {
list($account, $provider, $response) = $this->loadSetupAccount();
$account = null;
$provider = null;
$response = null;
$is_default = true;
$is_setup = true;
} else {
@ -35,22 +37,24 @@ final class PhabricatorAuthRegisterController
$invite = $this->loadInvite();
if (!$provider->shouldAllowRegistration()) {
if ($invite) {
// If the user has an invite, we allow them to register with any
// provider, even a login-only provider.
} else {
// TODO: This is a routine error if you click "Login" on an external
// auth source which doesn't allow registration. The error should be
// more tailored.
if (!$is_setup) {
if (!$provider->shouldAllowRegistration()) {
if ($invite) {
// If the user has an invite, we allow them to register with any
// provider, even a login-only provider.
} else {
// TODO: This is a routine error if you click "Login" on an external
// auth source which doesn't allow registration. The error should be
// more tailored.
return $this->renderError(
pht(
'The account you are attempting to register with uses an '.
'authentication provider ("%s") which does not allow '.
'registration. An administrator may have recently disabled '.
'registration with this provider.',
$provider->getProviderName()));
return $this->renderError(
pht(
'The account you are attempting to register with uses an '.
'authentication provider ("%s") which does not allow '.
'registration. An administrator may have recently disabled '.
'registration with this provider.',
$provider->getProviderName()));
}
}
}
@ -58,14 +62,19 @@ final class PhabricatorAuthRegisterController
$user = new PhabricatorUser();
$default_username = $account->getUsername();
$default_realname = $account->getRealName();
if ($is_setup) {
$default_username = null;
$default_realname = null;
$default_email = null;
} else {
$default_username = $account->getUsername();
$default_realname = $account->getRealName();
$default_email = $account->getEmail();
}
$account_type = PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT;
$content_source = PhabricatorContentSource::newFromRequest($request);
$default_email = $account->getEmail();
if ($invite) {
$default_email = $invite->getEmailAddress();
}
@ -212,7 +221,11 @@ final class PhabricatorAuthRegisterController
$can_edit_email = $profile->getCanEditEmail();
$can_edit_realname = $profile->getCanEditRealName();
$must_set_password = $provider->shouldRequireRegistrationPassword();
if ($is_setup) {
$must_set_password = false;
} else {
$must_set_password = $provider->shouldRequireRegistrationPassword();
}
$can_edit_anything = $profile->getCanEditAnything() || $must_set_password;
$force_verify = $profile->getShouldVerifyEmail();
@ -334,9 +347,11 @@ final class PhabricatorAuthRegisterController
}
if (!$errors) {
$image = $this->loadProfilePicture($account);
if ($image) {
$user->setProfileImagePHID($image->getPHID());
if (!$is_setup) {
$image = $this->loadProfilePicture($account);
if ($image) {
$user->setProfileImagePHID($image->getPHID());
}
}
try {
@ -346,17 +361,19 @@ final class PhabricatorAuthRegisterController
$verify_email = true;
}
if ($value_email === $default_email) {
if ($account->getEmailVerified()) {
$verify_email = true;
}
if (!$is_setup) {
if ($value_email === $default_email) {
if ($account->getEmailVerified()) {
$verify_email = true;
}
if ($provider->shouldTrustEmails()) {
$verify_email = true;
}
if ($provider->shouldTrustEmails()) {
$verify_email = true;
}
if ($invite) {
$verify_email = true;
if ($invite) {
$verify_email = true;
}
}
}
@ -438,9 +455,11 @@ final class PhabricatorAuthRegisterController
$transaction_editor->applyTransactions($user, $xactions);
}
$account->setUserPHID($user->getPHID());
$provider->willRegisterAccount($account);
$account->save();
if (!$is_setup) {
$account->setUserPHID($user->getPHID());
$provider->willRegisterAccount($account);
$account->save();
}
$user->saveTransaction();
@ -501,7 +520,6 @@ final class PhabricatorAuthRegisterController
->setAuthProvider($provider)));
}
if ($can_edit_username) {
$form->appendChild(
id(new AphrontFormTextControl())
@ -595,7 +613,7 @@ final class PhabricatorAuthRegisterController
pht(
'Installation is complete. Register your administrator account '.
'below to log in. You will be able to configure options and add '.
'other authentication mechanisms (like LDAP or OAuth) later on.'));
'authentication mechanisms later on.'));
}
$object_box = id(new PHUIObjectBoxView())
@ -612,11 +630,12 @@ final class PhabricatorAuthRegisterController
$view = id(new PHUITwoColumnView())
->setHeader($header)
->setFooter(array(
$welcome_view,
$invite_header,
$object_box,
));
->setFooter(
array(
$welcome_view,
$invite_header,
$object_box,
));
return $this->newPage()
->setTitle($title)
@ -657,19 +676,6 @@ final class PhabricatorAuthRegisterController
return array($account, $provider, $response);
}
private function loadSetupAccount() {
$provider = new PhabricatorPasswordAuthProvider();
$provider->attachProviderConfig(
id(new PhabricatorAuthProviderConfig())
->setShouldAllowRegistration(1)
->setShouldAllowLogin(1)
->setIsEnabled(true));
$account = $provider->getDefaultExternalAccount();
$response = null;
return array($account, $provider, $response);
}
private function loadProfilePicture(PhabricatorExternalAccount $account) {
$phid = $account->getProfileImagePHID();
if (!$phid) {

View file

@ -557,7 +557,7 @@ final class PhabricatorUser
public static function describeValidUsername() {
return pht(
'Usernames must contain only numbers, letters, period, underscore and '.
'Usernames must contain only numbers, letters, period, underscore, and '.
'hyphen, and can not end with a period. They must have no more than %d '.
'characters.',
new PhutilNumber(self::MAXIMUM_USERNAME_LENGTH));

View file

@ -83,9 +83,8 @@ final class PhabricatorUserEmail extends PhabricatorUserDAO {
*/
public static function describeValidAddresses() {
return pht(
"Email addresses should be in the form '%s'. The maximum ".
"length of an email address is %s character(s).",
'user@domain.com',
'Email addresses should be in the form "user@domain.com". The maximum '.
'length of an email address is %s characters.',
new PhutilNumber(self::MAX_ADDRESS_LENGTH));
}

View file

@ -3,7 +3,8 @@
Describes how to configure user access to Phabricator.
= Overview =
Overview
========
Phabricator supports a number of login systems. You can enable or disable these
systems to configure who can register for and access your install, and how users
@ -28,24 +29,37 @@ After you add a provider, you can link it to existing accounts (for example,
associate an existing Phabricator account with a GitHub OAuth account) or users
can use it to register new accounts (assuming you enable these options).
= Recovering Inaccessible Accounts =
Recovering Inaccessible Accounts
================================
If you accidentally lock yourself out of Phabricator (for example, by disabling
all authentication providers), you can use the `bin/auth`
script to recover access to an account. To recover access, run:
all authentication providers), you can normally use the "send a login link"
action from the login screen to email yourself a login link and regain access
to your account.
phabricator/ $ ./bin/auth recover <username>
If that isn't working (perhaps because you haven't configured email yet), you
can use the `bin/auth` script to recover access to an account. To recover
access, run:
```
phabricator/ $ ./bin/auth recover <username>
```
...where `<username>` is the account username you want to recover access
to. This will generate a link which will log you in as the specified user.
= Managing Accounts with the Web Console =
Managing Accounts with the Web Console
======================================
To manage accounts from the web, login as an administrator account and go to
`/people/` or click "People" on the homepage. Provided you're an admin,
you'll see options to create or edit accounts.
= Manually Creating New Accounts =
Manually Creating New Accounts
==============================
There are two ways to manually create new accounts: via the web UI using
the "People" application (this is easiest), or via the CLI using the
@ -60,7 +74,9 @@ the CLI. You can also use this script to make a user
an administrator (if you accidentally remove your admin flag) or to create an
administrative account.
= Next Steps =
Next Steps
==========
Continue by: