1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-25 22:18:19 +01:00

Always require MFA to edit contact numbers

Summary:
Depends on D20023. Ref T13222. Although I think this isn't strictly necessary from a pure security perspective (since you can't modify the primary number while you have MFA SMS), it seems like a generally good idea.

This adds a slightly new MFA mode, where we want MFA if it's available but don't strictly require it.

Test Plan: Disabled, enabled, primaried, unprimaried, and edited contact numbers. With MFA enabled, got prompted for MFA. With no MFA, no prompts.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D20024
This commit is contained in:
epriestley 2019-01-23 11:27:11 -08:00
parent 7805b217ad
commit 587e9cea19
7 changed files with 55 additions and 6 deletions

View file

@ -2205,6 +2205,7 @@ phutil_register_library_map(array(
'PhabricatorAuthContactNumberEditController' => 'applications/auth/controller/contact/PhabricatorAuthContactNumberEditController.php',
'PhabricatorAuthContactNumberEditEngine' => 'applications/auth/editor/PhabricatorAuthContactNumberEditEngine.php',
'PhabricatorAuthContactNumberEditor' => 'applications/auth/editor/PhabricatorAuthContactNumberEditor.php',
'PhabricatorAuthContactNumberMFAEngine' => 'applications/auth/engine/PhabricatorAuthContactNumberMFAEngine.php',
'PhabricatorAuthContactNumberNumberTransaction' => 'applications/auth/xaction/PhabricatorAuthContactNumberNumberTransaction.php',
'PhabricatorAuthContactNumberPHIDType' => 'applications/auth/phid/PhabricatorAuthContactNumberPHIDType.php',
'PhabricatorAuthContactNumberPrimaryController' => 'applications/auth/controller/contact/PhabricatorAuthContactNumberPrimaryController.php',
@ -7909,12 +7910,14 @@ phutil_register_library_map(array(
'PhabricatorApplicationTransactionInterface',
'PhabricatorPolicyInterface',
'PhabricatorDestructibleInterface',
'PhabricatorEditEngineMFAInterface',
),
'PhabricatorAuthContactNumberController' => 'PhabricatorAuthController',
'PhabricatorAuthContactNumberDisableController' => 'PhabricatorAuthContactNumberController',
'PhabricatorAuthContactNumberEditController' => 'PhabricatorAuthContactNumberController',
'PhabricatorAuthContactNumberEditEngine' => 'PhabricatorEditEngine',
'PhabricatorAuthContactNumberEditor' => 'PhabricatorApplicationTransactionEditor',
'PhabricatorAuthContactNumberMFAEngine' => 'PhabricatorEditEngineMFAEngine',
'PhabricatorAuthContactNumberNumberTransaction' => 'PhabricatorAuthContactNumberTransactionType',
'PhabricatorAuthContactNumberPHIDType' => 'PhabricatorPHIDType',
'PhabricatorAuthContactNumberPrimaryController' => 'PhabricatorAuthContactNumberController',

View file

@ -24,7 +24,7 @@ final class PhabricatorAuthContactNumberDisableController
$id = $number->getID();
$cancel_uri = $number->getURI();
if ($request->isFormPost()) {
if ($request->isFormOrHisecPost()) {
$xactions = array();
if ($is_disable) {
@ -42,7 +42,8 @@ final class PhabricatorAuthContactNumberDisableController
->setActor($viewer)
->setContentSourceFromRequest($request)
->setContinueOnNoEffect(true)
->setContinueOnMissingFields(true);
->setContinueOnMissingFields(true)
->setCancelURI($cancel_uri);
try {
$editor->applyTransactions($number, $xactions);

View file

@ -41,7 +41,7 @@ final class PhabricatorAuthContactNumberPrimaryController
->addCancelButton($cancel_uri);
}
if ($request->isFormPost()) {
if ($request->isFormOrHisecPost()) {
$xactions = array();
$xactions[] = id(new PhabricatorAuthContactNumberTransaction())
@ -53,7 +53,8 @@ final class PhabricatorAuthContactNumberPrimaryController
->setActor($viewer)
->setContentSourceFromRequest($request)
->setContinueOnNoEffect(true)
->setContinueOnMissingFields(true);
->setContinueOnMissingFields(true)
->setCancelURI($cancel_uri);
try {
$editor->applyTransactions($number, $xactions);

View file

@ -0,0 +1,10 @@
<?php
final class PhabricatorAuthContactNumberMFAEngine
extends PhabricatorEditEngineMFAEngine {
public function shouldTryMFA() {
return true;
}
}

View file

@ -6,7 +6,8 @@ final class PhabricatorAuthContactNumber
implements
PhabricatorApplicationTransactionInterface,
PhabricatorPolicyInterface,
PhabricatorDestructibleInterface {
PhabricatorDestructibleInterface,
PhabricatorEditEngineMFAInterface {
protected $objectPHID;
protected $contactNumber;
@ -232,4 +233,11 @@ final class PhabricatorAuthContactNumber
}
/* -( PhabricatorEditEngineMFAInterface )---------------------------------- */
public function newEditEngineMFAEngine() {
return new PhabricatorAuthContactNumberMFAEngine();
}
}

View file

@ -34,6 +34,28 @@ abstract class PhabricatorEditEngineMFAEngine
->setObject($object);
}
abstract public function shouldRequireMFA();
/**
* Do edits to this object REQUIRE that the user submit MFA?
*
* This is a strict requirement: users will need to add MFA to their accounts
* if they don't already have it.
*
* @return bool True to strictly require MFA.
*/
public function shouldRequireMFA() {
return false;
}
/**
* Should edits to this object prompt for MFA if it's available?
*
* This is advisory: users without MFA on their accounts will be able to
* perform edits without being required to add MFA.
*
* @return bool True to prompt for MFA if available.
*/
public function shouldTryMFA() {
return false;
}
}

View file

@ -4916,6 +4916,10 @@ abstract class PhabricatorApplicationTransactionEditor
$require_mfa = $engine->shouldRequireMFA();
if (!$require_mfa) {
$try_mfa = $engine->shouldTryMFA();
if ($try_mfa) {
$this->setShouldRequireMFA(true);
}
return $xactions;
}