From d24e66724d3bbfef0b0bf331c2a613d1c462a57b Mon Sep 17 00:00:00 2001 From: epriestley Date: Fri, 25 Jan 2019 10:16:49 -0800 Subject: [PATCH] Convert "Rename User" from session MFA to one-shot MFA Summary: Depends on D20035. Ref T13222. - Allow individual transactions to request one-shot MFA if available. - Make "change username" request MFA. Test Plan: - Renamed a user, got prompted for MFA, provided it. - Saw that I no longer remain in high-security after performing the edit. - Grepped for other uses of `PhabricatorUserUsernameTransaction`, found none. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D20036 --- .../PhabricatorPeopleRenameController.php | 8 +--- .../PhabricatorUserUsernameTransaction.php | 7 +++ ...habricatorApplicationTransactionEditor.php | 48 +++++++++++++------ .../PhabricatorModularTransactionType.php | 6 +++ 4 files changed, 49 insertions(+), 20 deletions(-) diff --git a/src/applications/people/controller/PhabricatorPeopleRenameController.php b/src/applications/people/controller/PhabricatorPeopleRenameController.php index 42ff2e7988..42eebfc8ae 100644 --- a/src/applications/people/controller/PhabricatorPeopleRenameController.php +++ b/src/applications/people/controller/PhabricatorPeopleRenameController.php @@ -17,14 +17,9 @@ final class PhabricatorPeopleRenameController $done_uri = $this->getApplicationURI("manage/{$id}/"); - id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( - $viewer, - $request, - $done_uri); - $validation_exception = null; $username = $user->getUsername(); - if ($request->isFormPost()) { + if ($request->isFormOrHisecPost()) { $username = $request->getStr('username'); $xactions = array(); @@ -36,6 +31,7 @@ final class PhabricatorPeopleRenameController $editor = id(new PhabricatorUserTransactionEditor()) ->setActor($viewer) ->setContentSourceFromRequest($request) + ->setCancelURI($done_uri) ->setContinueOnMissingFields(true); try { diff --git a/src/applications/people/xaction/PhabricatorUserUsernameTransaction.php b/src/applications/people/xaction/PhabricatorUserUsernameTransaction.php index db134a5c78..b6d23b3511 100644 --- a/src/applications/people/xaction/PhabricatorUserUsernameTransaction.php +++ b/src/applications/people/xaction/PhabricatorUserUsernameTransaction.php @@ -89,4 +89,11 @@ final class PhabricatorUserUsernameTransaction return null; } + + public function shouldTryMFA( + $object, + PhabricatorApplicationTransaction $xaction) { + return true; + } + } diff --git a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php index fda45fd3d5..c6458b0631 100644 --- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php +++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php @@ -4906,20 +4906,47 @@ abstract class PhabricatorApplicationTransactionEditor PhabricatorLiskDAO $object, array $xactions) { - $is_mfa = ($object instanceof PhabricatorEditEngineMFAInterface); - if (!$is_mfa) { + $has_engine = ($object instanceof PhabricatorEditEngineMFAInterface); + if ($has_engine) { + $engine = PhabricatorEditEngineMFAEngine::newEngineForObject($object) + ->setViewer($this->getActor()); + $require_mfa = $engine->shouldRequireMFA(); + $try_mfa = $engine->shouldTryMFA(); + } else { + $require_mfa = false; + $try_mfa = false; + } + + // If the user is mentioning an MFA object on another object or creating + // a relationship like "parent" or "child" to this object, we always + // allow the edit to move forward without requiring MFA. + if ($this->getIsInverseEdgeEditor()) { return $xactions; } - $engine = PhabricatorEditEngineMFAEngine::newEngineForObject($object) - ->setViewer($this->getActor()); - $require_mfa = $engine->shouldRequireMFA(); - if (!$require_mfa) { - $try_mfa = $engine->shouldTryMFA(); + // If the object hasn't already opted into MFA, see if any of the + // transactions want it. + if (!$try_mfa) { + foreach ($xactions as $xaction) { + $type = $xaction->getTransactionType(); + + $xtype = $this->getModularTransactionType($type); + if ($xtype) { + $xtype = clone $xtype; + $xtype->setStorage($xaction); + if ($xtype->shouldTryMFA($object, $xaction)) { + $try_mfa = true; + break; + } + } + } + } + if ($try_mfa) { $this->setShouldRequireMFA(true); } + return $xactions; } @@ -4937,13 +4964,6 @@ abstract class PhabricatorApplicationTransactionEditor return $xactions; } - // If the user is mentioning an MFA object on another object or creating - // a relationship like "parent" or "child" to this object, we allow the - // edit to move forward without requiring MFA. - if ($this->getIsInverseEdgeEditor()) { - return $xactions; - } - $template = $object->getApplicationTransactionTemplate(); $mfa_xaction = id(clone $template) diff --git a/src/applications/transactions/storage/PhabricatorModularTransactionType.php b/src/applications/transactions/storage/PhabricatorModularTransactionType.php index 3d2efe0501..abe7a31025 100644 --- a/src/applications/transactions/storage/PhabricatorModularTransactionType.php +++ b/src/applications/transactions/storage/PhabricatorModularTransactionType.php @@ -425,4 +425,10 @@ abstract class PhabricatorModularTransactionType return PhabricatorPolicyCapability::CAN_EDIT; } + public function shouldTryMFA( + $object, + PhabricatorApplicationTransaction $xaction) { + return false; + } + }