From a1f25fdb3e630df31e9214b9b9169dcf918917e9 Mon Sep 17 00:00:00 2001
From: Josh Cox <joshcox@uberatc.com>
Date: Wed, 24 Aug 2016 17:03:21 -0400
Subject: [PATCH] Added high security requirement to add/delete email addresses

Summary: Fixes T10999. Now MFA will be required for all email address related operations.

Test Plan: Ensure that adding and removing email addresses now requires you to enter high security mode.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley

Maniphest Tasks: T10999

Differential Revision: https://secure.phabricator.com/D16444
---
 .../panel/PhabricatorEmailAddressesSettingsPanel.php   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/applications/settings/panel/PhabricatorEmailAddressesSettingsPanel.php b/src/applications/settings/panel/PhabricatorEmailAddressesSettingsPanel.php
index b5d8ea8617..31249985e4 100644
--- a/src/applications/settings/panel/PhabricatorEmailAddressesSettingsPanel.php
+++ b/src/applications/settings/panel/PhabricatorEmailAddressesSettingsPanel.php
@@ -165,6 +165,11 @@ final class PhabricatorEmailAddressesSettingsPanel
     $user = $this->getUser();
     $viewer = $this->getViewer();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      $this->getPanelURI());
+
     $e_email = true;
     $email   = null;
     $errors  = array();
@@ -276,6 +281,11 @@ final class PhabricatorEmailAddressesSettingsPanel
     $user = $this->getUser();
     $viewer = $this->getViewer();
 
+    $token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+      $viewer,
+      $request,
+      $this->getPanelURI());
+
     // NOTE: You can only delete your own email addresses, and you can not
     // delete your primary address.
     $email = id(new PhabricatorUserEmail())->loadOneWhere(