In Legalpad, prompt for MFA at the end of the workflow instead of the beginning

Summary: Depends on D19895. Ref T13222. This is a simple behavioral improvement for the current MFA implementation in Legalpad: don't MFA the user and //then// realize that they forgot to actually check the box. Test Plan: - Submitted form without the box checked, got an error saying "check the box" instead of MFA. - Submitted the form with the box checked, got an MFA prompt. - Passed the MFA gate, got a signed form. - Tried to sign another form, hit MFA timed lockout. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19896
2025-01-22 12:41:19 +01:00 · 2018-12-17 11:17:03 -08:00 · 2018-12-17 11:17:03 -08:00 · 961fd7e849
commit 961fd7e849
parent b63783c067
1 changed files with 14 additions and 15 deletions
--- a/src/applications/legalpad/controller/LegalpadDocumentSignController.php
+++ b/src/applications/legalpad/controller/LegalpadDocumentSignController.php
@ -151,21 +151,6 @@ final class LegalpadDocumentSignController extends LegalpadController {
    $errors = array();
    $hisec_token = null;
    if ($request->isFormOrHisecPost() && !$has_signed) {
-
-      // Require two-factor auth to sign legal documents.
-      if ($viewer->isLoggedIn()) {
-        $workflow_key = sprintf(
-          'legalpad.sign(%s)',
-          $document->getPHID());
-
-        $hisec_token = id(new PhabricatorAuthSessionEngine())
-          ->setWorkflowKey($workflow_key)
-          ->requireHighSecurityToken(
-            $viewer,
-            $request,
-            $document->getURI());
-      }
-
      list($form_data, $errors, $field_errors) = $this->readSignatureForm(
        $document,
        $request);
@ -192,6 +177,20 @@ final class LegalpadDocumentSignController extends LegalpadController {
      $signature->setVerified($verified);

      if (!$errors) {
+        // Require MFA to sign legal documents.
+        if ($viewer->isLoggedIn()) {
+          $workflow_key = sprintf(
+            'legalpad.sign(%s)',
+            $document->getPHID());
+
+          $hisec_token = id(new PhabricatorAuthSessionEngine())
+            ->setWorkflowKey($workflow_key)
+            ->requireHighSecurityToken(
+              $viewer,
+              $request,
+              $document->getURI());
+        }
+
        $signature->save();

        // If the viewer is logged in, signing for themselves, send them to