mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-20 13:52:40 +01:00
Only let users log in to an OAuth server if they can see it
Summary: Fixes T7169. We just weren't doing a policy-aware query. Basic idea here is that if you set an app to be visible only to specific users, those specific users are the only ones who should be able to authorize it. In the Phacility cluster, this allows us to prevent users who haven't been invited from logging in to an instance. Test Plan: - Tried to log into an instance I was not a member of. - Logged into an instance I am a member of. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T7169 Differential Revision: https://secure.phabricator.com/D11696
This commit is contained in:
parent
dca27279cc
commit
7213eb01e0
1 changed files with 17 additions and 2 deletions
|
@ -39,8 +39,23 @@ final class PhabricatorOAuthServerAuthController
|
||||||
// one giant try / catch around all the exciting database stuff so we
|
// one giant try / catch around all the exciting database stuff so we
|
||||||
// can return a 'server_error' response if something goes wrong!
|
// can return a 'server_error' response if something goes wrong!
|
||||||
try {
|
try {
|
||||||
$client = id(new PhabricatorOAuthServerClient())
|
try {
|
||||||
->loadOneWhere('phid = %s', $client_phid);
|
$client = id(new PhabricatorOAuthServerClientQuery())
|
||||||
|
->setViewer($viewer)
|
||||||
|
->withPHIDs(array($client_phid))
|
||||||
|
->executeOne();
|
||||||
|
} catch (PhabricatorPolicyException $ex) {
|
||||||
|
// We require that users must be able to see an OAuth application
|
||||||
|
// in order to authorize it. This allows an application's visibility
|
||||||
|
// policy to be used to restrict authorized users.
|
||||||
|
|
||||||
|
// None of the OAuth error responses are a perfect fit for this, but
|
||||||
|
// 'invalid_client' seems closest.
|
||||||
|
return $this->buildErrorResponse(
|
||||||
|
'invalid_client',
|
||||||
|
pht('Not Authorized'),
|
||||||
|
pht('You are not authorized to authenticate.'));
|
||||||
|
}
|
||||||
|
|
||||||
if (!$client) {
|
if (!$client) {
|
||||||
return $this->buildErrorResponse(
|
return $this->buildErrorResponse(
|
||||||
|
|
Loading…
Reference in a new issue