mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-30 02:32:42 +01:00
Tell users to "Wait Patiently" for admin account verification later in the registration process
Summary: Depends on D18790. Ref T13024. Fixes T8335. Currently, "unapproved" and "disabled" users are bundled together. This prevents users from completing some registration steps (verification, legalpad documents, MFA enrollment) before approval. Separate approval out and move it to the end so users can do all the required enrollment stuff on their end before we roadblock them. Test Plan: Required approval, email verification, signatures, and MFA. Registered an account. Verified email, signed documents, enrolled in MFA, and then got prompted to wait for approval. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13024, T8335 Differential Revision: https://secure.phabricator.com/D18791
This commit is contained in:
parent
c7718d3a21
commit
ab0f61aa32
3 changed files with 26 additions and 7 deletions
|
@ -9,9 +9,21 @@ final class PhabricatorAuthNeedsMultiFactorController
|
|||
return false;
|
||||
}
|
||||
|
||||
public function shouldRequireEnabledUser() {
|
||||
// Users who haven't been approved yet are allowed to enroll in MFA. We'll
|
||||
// kick disabled users out later.
|
||||
return false;
|
||||
}
|
||||
|
||||
public function handleRequest(AphrontRequest $request) {
|
||||
$viewer = $this->getViewer();
|
||||
|
||||
if ($viewer->getIsDisabled()) {
|
||||
// We allowed unapproved and disabled users to hit this controller, but
|
||||
// want to kick out disabled users now.
|
||||
return new Aphront400Response();
|
||||
}
|
||||
|
||||
$panel = id(new PhabricatorMultiFactorSettingsPanel())
|
||||
->setUser($viewer)
|
||||
->setViewer($viewer)
|
||||
|
|
|
@ -137,10 +137,6 @@ abstract class PhabricatorController extends AphrontController {
|
|||
}
|
||||
|
||||
if ($this->shouldRequireEnabledUser()) {
|
||||
if ($user->isLoggedIn() && !$user->getIsApproved()) {
|
||||
$controller = new PhabricatorAuthNeedsApprovalController();
|
||||
return $this->delegateToController($controller);
|
||||
}
|
||||
if ($user->getIsDisabled()) {
|
||||
$controller = new PhabricatorDisabledUserController();
|
||||
return $this->delegateToController($controller);
|
||||
|
@ -233,6 +229,17 @@ abstract class PhabricatorController extends AphrontController {
|
|||
->withPHIDs(array($application->getPHID()))
|
||||
->executeOne();
|
||||
}
|
||||
|
||||
// If users need approval, require they wait here. We do this near the
|
||||
// end so they can take other actions (like verifying email, signing
|
||||
// documents, and enrolling in MFA) while waiting for an admin to take a
|
||||
// look at things. See T13024 for more discussion.
|
||||
if ($this->shouldRequireEnabledUser()) {
|
||||
if ($user->isLoggedIn() && !$user->getIsApproved()) {
|
||||
$controller = new PhabricatorAuthNeedsApprovalController();
|
||||
return $this->delegateToController($controller);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// NOTE: We do this last so that users get a login page instead of a 403
|
||||
|
|
|
@ -159,10 +159,10 @@ final class PhabricatorAccessControlTestCase extends PhabricatorTestCase {
|
|||
$u_unverified,
|
||||
$u_admin,
|
||||
$u_public,
|
||||
$u_notapproved,
|
||||
),
|
||||
array(
|
||||
$u_disabled,
|
||||
$u_notapproved,
|
||||
));
|
||||
|
||||
|
||||
|
@ -224,7 +224,7 @@ final class PhabricatorAccessControlTestCase extends PhabricatorTestCase {
|
|||
));
|
||||
|
||||
$this->checkAccess(
|
||||
pht('Application Controller'),
|
||||
pht('Application Controller, No Login Required'),
|
||||
id(clone $app_controller)->setConfig('login', false),
|
||||
$request,
|
||||
array(
|
||||
|
@ -232,10 +232,10 @@ final class PhabricatorAccessControlTestCase extends PhabricatorTestCase {
|
|||
$u_unverified,
|
||||
$u_admin,
|
||||
$u_public,
|
||||
$u_notapproved,
|
||||
),
|
||||
array(
|
||||
$u_disabled,
|
||||
$u_notapproved,
|
||||
));
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue