Reduce severity of auth provider warning

Summary:
Ref T7208. Now that we have approvals (new installs are safe by default), take those into account when generating this warning.

Try to soften the warning to cover the case discussed in T7208, hopefully without requiring additional measures.

Test Plan:
{F286014}

{F286015}

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T7208

Differential Revision: https://secure.phabricator.com/D11708

src/applications/auth/controller/config/PhabricatorAuthListController.php

@@ -92,37 +92,59 @@ final class PhabricatorAuthListController
     $crumbs = $this->buildApplicationCrumbs();
     $crumbs->addTextCrumb(pht('Auth Providers'));
 
-    $config_name = 'auth.email-domains';
+    $domains_key = 'auth.email-domains';
-    $config_href = '/config/edit/'.$config_name.'/';
+    $domains_link = $this->renderConfigLink($domains_key);
-    $config_link = phutil_tag(
+    $domains_value = PhabricatorEnv::getEnvConfig($domains_key);
-      'a',
-      array(
-        'href' => $config_href,
-        'target' => '_blank',
-      ),
-      $config_name);
 
-    $warning = new PHUIErrorView();
+    $approval_key = 'auth.require-approval';
+    $approval_link = $this->renderConfigLink($approval_key);
+    $approval_value = PhabricatorEnv::getEnvConfig($approval_key);
 
-    $email_domains = PhabricatorEnv::getEnvConfig($config_name);
+    $issues = array();
-    if ($email_domains) {
+    if ($domains_value) {
-      $warning->setSeverity(PHUIErrorView::SEVERITY_NOTICE);
+      $issues[] = pht(
-      $warning->appendChild(
+        'Phabricator is configured with an email domain whitelist (in %s), so '.
-        pht(
+        'only users with a verified email address at one of these %s '.
-          'Only users with a verified email address at one of the %s domains '.
+        'allowed domain(s) will be able to register an account: %s',
-          'will be able to register a Phabricator account: %s',
+        $domains_link,
-          $config_link,
+        new PhutilNumber(count($domains_value)),
-          phutil_tag('strong', array(), implode(', ', $email_domains))));
+        phutil_tag('strong', array(), implode(', ', $domains_value)));
     } else {
-      $warning->setSeverity(PHUIErrorView::SEVERITY_WARNING);
+      $issues[] = pht(
-      $warning->appendChild(
-        pht(
         'Anyone who can browse to this Phabricator install will be able to '.
-          'register an account. To restrict who can register an account, '.
+        'register an account. To add email domain restrictions, configure '.
-          'configure %s.',
+        '%s.',
-          $config_link));
+        $domains_link);
     }
 
+    if ($approval_value) {
+      $issues[] = pht(
+        'Administrative approvals are enabled (in %s), so all new users must '.
+        'have their accounts approved by an administrator.',
+        $approval_link);
+    } else {
+      $issues[] = pht(
+        'Administrative approvals are disabled, so users who register will '.
+        'be able to use their accounts immediately. To enable approvals, '.
+        'configure %s.',
+        $approval_link);
+    }
+
+    if (!$domains_value && !$approval_value) {
+      $severity = PHUIErrorView::SEVERITY_WARNING;
+      $issues[] = pht(
+        'You can safely ignore this warning if the install itself has '.
+        'access controls (for example, it is deployed on a VPN) or if all of '.
+        'the configured providers have access controls (for example, they are '.
+        'all private LDAP or OAuth servers).');
+    } else {
+      $severity = PHUIErrorView::SEVERITY_NOTICE;
+    }
+
+    $warning = id(new PHUIErrorView())
+      ->setSeverity($severity)
+      ->setErrors($issues);
+
     $image = id(new PHUIIconView())
           ->setIconFont('fa-plus');
     $button = id(new PHUIButtonView())
@@ -152,4 +174,14 @@ final class PhabricatorAuthListController
       ));
   }
 
+  private function renderConfigLink($key) {
+    return phutil_tag(
+      'a',
+      array(
+        'href' => '/config/edit/'.$key.'/',
+        'target' => '_blank',
+      ),
+      $key);
+  }
+
 }

src/infrastructure/internationalization/translation/PhabricatorBaseEnglishTranslation.php

@@ -911,6 +911,19 @@ abstract class PhabricatorBaseEnglishTranslation
         'The configurations differ:',
         'The configurations differ in these ways:',
       ),
+
+      'Phabricator is configured with an email domain whitelist (in %s), so '.
+      'only users with a verified email address at one of these %s '.
+      'allowed domain(s) will be able to register an account: %s' => array(
+        array(
+          'Phabricator is configured with an email domain whitelist (in %s), '.
+          'so only users with a verified email address at %3$s will be '.
+          'allowed to register an account.',
+          'Phabricator is configured with an email domain whitelist (in %s), '.
+          'so only users with a verified email address at one of these '.
+          'allowed domains will be able to register an account: %3$s',
+        ),
+      ),
     );
   }