Actually enforce auth.lock-config

Summary: Forgot to post this after D20394. Fixes T7667.

Test Plan:
    * Edited some providers with the config locked and unlocked.
    * Opened the edit form with the config unlocked, locked the config, then saved, and got a sensible error: {F6576023}

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin

Maniphest Tasks: T7667

Differential Revision: https://secure.phabricator.com/D20645

src/applications/auth/controller/config/PhabricatorAuthEditController.php

@@ -79,6 +79,7 @@ final class PhabricatorAuthEditController
     }
 
     $errors = array();
+    $validation_exception = null;
 
     $v_login = $config->getShouldAllowLogin();
     $v_registration = $config->getShouldAllowRegistration();
@@ -153,12 +154,16 @@ final class PhabricatorAuthEditController
         $editor = id(new PhabricatorAuthProviderConfigEditor())
           ->setActor($viewer)
           ->setContentSourceFromRequest($request)
-          ->setContinueOnNoEffect(true)
+          ->setContinueOnNoEffect(true);
-          ->applyTransactions($config, $xactions);
 
+        try {
+          $editor->applyTransactions($config, $xactions);
           $next_uri = $config->getURI();
 
           return id(new AphrontRedirectResponse())->setURI($next_uri);
+        } catch (Exception $ex) {
+          $validation_exception = $ex;
+        }
       }
     } else {
       $properties = $provider->readFormValuesFromProvider();
@@ -325,12 +330,35 @@ final class PhabricatorAuthEditController
 
     $provider->extendEditForm($request, $form, $properties, $issues);
 
+    $locked_config_key = 'auth.lock-config';
+    $is_locked = PhabricatorEnv::getEnvConfig($locked_config_key);
+
+    $locked_warning = null;
+    if ($is_locked && !$validation_exception) {
+      $message = pht(
+        'Authentication provider configuration is locked, and can not be '.
+        'changed without being unlocked. See the configuration setting %s '.
+        'for details.',
+        phutil_tag(
+          'a',
+          array(
+            'href' => '/config/edit/'.$locked_config_key,
+          ),
+          $locked_config_key));
+      $locked_warning = id(new PHUIInfoView())
+        ->setViewer($viewer)
+        ->setSeverity(PHUIInfoView::SEVERITY_WARNING)
+        ->setErrors(array($message));
+    }
+
     $form
       ->appendChild(
         id(new AphrontFormSubmitControl())
           ->addCancelButton($cancel_uri)
+          ->setDisabled($is_locked)
           ->setValue($button));
 
+
     $help = $provider->getConfigurationHelp();
     if ($help) {
       $form->appendChild(id(new PHUIFormDividerControl()));
@@ -346,12 +374,16 @@ final class PhabricatorAuthEditController
     $form_box = id(new PHUIObjectBoxView())
       ->setHeaderText(pht('Provider'))
       ->setFormErrors($errors)
+      ->setValidationException($validation_exception)
       ->setBackground(PHUIObjectBoxView::BLUE_PROPERTY)
       ->setForm($form);
 
+
+
     $view = id(new PHUITwoColumnView())
       ->setHeader($header)
       ->setFooter(array(
+        $locked_warning,
         $form_box,
         $footer,
       ));

src/applications/auth/controller/config/PhabricatorAuthListController.php

@@ -78,12 +78,14 @@ final class PhabricatorAuthListController
       ->setGuidanceContext($guidance_context)
       ->newInfoView();
 
+    $is_disabled = (!$can_manage || $is_locked);
     $button = id(new PHUIButtonView())
       ->setTag('a')
       ->setButtonType(PHUIButtonView::BUTTONTYPE_SIMPLE)
-      ->setHref($this->getApplicationURI('config/new/'))
       ->setIcon('fa-plus')
-      ->setDisabled(!$can_manage || $is_locked)
+      ->setDisabled($is_disabled)
+      ->setWorkflow($is_disabled)
+      ->setHref($this->getApplicationURI('config/new/'))
       ->setText(pht('Add Provider'));
 
     $list->setFlush(true);

src/applications/auth/controller/config/PhabricatorAuthNewController.php

@@ -9,6 +9,27 @@ final class PhabricatorAuthNewController
 
     $viewer = $this->getViewer();
     $cancel_uri = $this->getApplicationURI();
+    $locked_config_key = 'auth.lock-config';
+    $is_locked = PhabricatorEnv::getEnvConfig($locked_config_key);
+
+    if ($is_locked) {
+      $message = pht(
+        'Authentication provider configuration is locked, and can not be '.
+        'changed without being unlocked. See the configuration setting %s '.
+        'for details.',
+        phutil_tag(
+          'a',
+          array(
+            'href' => '/config/edit/'.$locked_config_key,
+          ),
+          $locked_config_key));
+
+      return $this->newDialog()
+        ->setUser($viewer)
+        ->setTitle(pht('Authentication Config Locked'))
+        ->appendChild($message)
+        ->addCancelButton($cancel_uri);
+    }
 
     $providers = PhabricatorAuthProvider::getAllBaseProviders();
 

src/applications/auth/editor/PhabricatorAuthProviderConfigEditor.php

@@ -125,4 +125,25 @@ final class PhabricatorAuthProviderConfigEditor
     return parent::mergeTransactions($u, $v);
   }
 
+  protected function validateAllTransactions(
+    PhabricatorLiskDAO $object,
+    array $xactions) {
+
+    $errors = parent::validateAllTransactions($object, $xactions);
+
+    $locked_config_key = 'auth.lock-config';
+    $is_locked = PhabricatorEnv::getEnvConfig($locked_config_key);
+
+    if ($is_locked) {
+      $errors[] = new PhabricatorApplicationTransactionValidationError(
+        null,
+        pht('Config Locked'),
+        pht('Authentication provider configuration is locked, and can not be '.
+            'changed without being unlocked.'),
+        null);
+    }
+
+    return $errors;
+  }
+
 }