Require high-security session to sign legal documents

Summary: Ref T3116. If you have MFA on your account, require a code to sign a legal document. Test Plan: Signed legal documents, got checkpointed. Reviewers: btrahan, chad Reviewed By: chad Subscribers: epriestley Maniphest Tasks: T3116 Differential Revision: https://secure.phabricator.com/D9772
2024-11-10 08:52:39 +01:00 · 2014-06-29 06:16:48 -07:00 · 2014-06-29 06:16:48 -07:00 · c9184db94a
commit c9184db94a
parent bd9584d663
2 changed files with 21 additions and 1 deletions
--- a/src/aphront/AphrontRequest.php
+++ b/src/aphront/AphrontRequest.php
@ -274,6 +274,18 @@ final class AphrontRequest {
    return $this->validateCSRF();
  }

+  final public function isFormOrHisecPost() {
+    $post = $this->getExists(self::TYPE_FORM) &&
+            $this->isHTTPPost();
+
+    if (!$post) {
+      return false;
+    }
+
+    return $this->validateCSRF();
+  }
+
+
  final public function setCookiePrefix($prefix) {
    $this->cookiePrefix = $prefix;
    return $this;
--- a/src/applications/legalpad/controller/LegalpadDocumentSignController.php
+++ b/src/applications/legalpad/controller/LegalpadDocumentSignController.php
@ -115,7 +115,15 @@ final class LegalpadDocumentSignController extends LegalpadController {
    $e_agree = null;

    $errors = array();
-    if ($request->isFormPost() && !$has_signed) {
+    if ($request->isFormOrHisecPost() && !$has_signed) {
+
+      // Require two-factor auth to sign legal documents.
+      $engine = new PhabricatorAuthSessionEngine();
+      $engine->requireHighSecuritySession(
+        $viewer,
+        $request,
+        '/'.$document->getMonogram());
+
      $name = $request->getStr('name');
      $agree = $request->getExists('agree');