Prevent mailing lists from being bin/auth recover'd

Summary: Fixes T9610. - We currently permit you to `bin/auth recover` users who can not establish web sessions (but this will never work). Prevent this. - We don't emit a tailored error if you follow one of these links. Tailor the error. Even with the first fix, you can still hit the second case by doing something like: - Recover a normal user. - Make them a mailing list in the DB. - Follow the recovery link. The original issue here was an install that did a large migration and set all users to be mailing lists. Normal installs should never encounter this, but it's not wholly unreasonable to have daemons or mailing lists with the administrator flag. Test Plan: - Tried to follow a recovery link for a mailing list. - Tried to generate a recovery link for a mailing list. - Generated and followed a recovery link for a normal administrator. {F906342} ``` epriestley@orbital ~/dev/phabricator $ ./bin/auth recover tortise-list Usage Exception: This account ("tortise-list") can not establish web sessions, so it is not possible to generate a functional recovery link. Special accounts like daemons and mailing lists can not log in via the web UI. ``` Reviewers: chad Reviewed By: chad Maniphest Tasks: T9610 Differential Revision: https://secure.phabricator.com/D14325
2024-09-19 16:58:48 +02:00 · 2015-10-24 18:12:56 -07:00 · 2015-10-24 18:12:56 -07:00 · 59c9317101
commit 59c9317101
parent a39ec26a67
2 changed files with 26 additions and 0 deletions
--- a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
+++ b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
@ -84,6 +84,22 @@ final class PhabricatorAuthOneTimeLoginController
        ->addCancelButton('/login/email/', pht('Send Another Email'));
    }

+    if (!$target_user->canEstablishWebSessions()) {
+      return $this->newDialog()
+        ->setTitle(pht('Unable to Establish Web Session'))
+        ->setShortTitle(pht('Login Failure'))
+        ->appendParagraph(
+          pht(
+            'You are trying to gain access to an account ("%s") that can not '.
+            'establish a web session.',
+            $target_user->getUsername()))
+        ->appendParagraph(
+          pht(
+            'Special users like daemons and mailing lists are not permitted '.
+            'to log in via the web. Log in as a normal user instead.'))
+        ->addCancelButton('/');
+    }
+
    if ($request->isFormPost()) {
      // If we have an email bound into this URI, verify email so that clicking
      // the link in the "Welcome" email is good enough, without requiring users
--- a/src/applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php
+++ b/src/applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php
@ -71,6 +71,16 @@ final class PhabricatorAuthManagementRecoverWorkflow
          $can_recover));
    }

+    if (!$user->canEstablishWebSessions()) {
+      throw new PhutilArgumentUsageException(
+        pht(
+          'This account ("%s") can not establish web sessions, so it is '.
+          'not possible to generate a functional recovery link. Special '.
+          'accounts like daemons and mailing lists can not log in via the '.
+          'web UI.',
+          $username));
+    }
+
    $engine = new PhabricatorAuthSessionEngine();
    $onetime_uri = $engine->getOneTimeLoginURI(
      $user,