1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-03 20:22:46 +01:00
Commit graph

6 commits

Author SHA1 Message Date
epriestley
50376aad04 Require multiple auth factors to establish web sessions
Summary:
Ref T4398. This prompts users for multi-factor auth on login.

Roughly, this introduces the idea of "partial" sessions, which we haven't finished constructing yet. In practice, this means the session has made it through primary auth but not through multi-factor auth. Add a workflow for bringing a partial session up to a full one.

Test Plan:
  - Used Conduit.
  - Logged in as multi-factor user.
  - Logged in as no-factor user.
  - Tried to do non-login-things with a partial session.
  - Reviewed account activity logs.

{F149295}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D8922
2014-05-01 10:23:02 -07:00
epriestley
0727418023 Consolidate use of magical cookie name strings
Summary: Ref T4339. We have more magical cookie names than we should, move them all to a central location.

Test Plan: Registered, logged in, linked account, logged out. See inlines.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4339

Differential Revision: https://secure.phabricator.com/D8041
2014-01-23 14:01:35 -08:00
epriestley
a6c4117ec4 Fix controller-level access rules
Summary:
Ref T603. I had to partially revert this earlier because it accidentally blocked access to Conduit and File data for installs without "policy.allow-public", since the applications are available to "all users" but some endpoints actually need to be available even when not logged in.

This readjusts the gating in the controller to properly apply application visibility restrictions, and then adds a giant pile of unit test coverage to make sure it sticks and all the weird cases are covered.

Test Plan:
  - Added and executed unit tests.
  - Executed most of the tests manually, by using logged in / admin / public / disabled users.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7211
2013-10-03 19:05:47 -07:00
epriestley
a3d4f4c457 Fix an issue with darkconsole.always-on and logged-out users
Summary:
Fixes T3796. When this got split out into tabs, the data endpoints were accidentally locked down. Open them up again if the setting is on.

Also, when you open/close the console we try to save the preference. Just no-op if you're logged out. Previously, you'd see the requests in DarkConsole since they failed.

Test Plan: Enabled `darkconsole.always-on` and toggled the console on and off as a logged-out user. Disabled the preference and verified it was no longer accessible.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T3796

Differential Revision: https://secure.phabricator.com/D6886
2013-09-05 11:16:32 -07:00
Jakub Vrana
0c85a8de87 Display bullet next to request with errors in DarkConsole.
Summary:
I always put a `phlog()` somewhere or something fails and I have hard times figuring out which request it was.

Also fix safe HTML in panel.

Test Plan: Looked at DarkConsole with error on main page, AJAX request and both.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D5784
2013-04-25 18:30:13 -07:00
epriestley
114ed6c7fe DarkConsole: fix rendering, move request log, load over ajax
Summary:
This accomplishes three major goals:

  # Fixes phutil_render_tag -> phutil_tag callsites in DarkConsole.
  # Moves the Ajax request log to a new panel on the left. This panel (and the tabs panel) get scrollbars when they get large, instead of making the page constantly scroll down.
  # Loads the panel content over ajax, instead of dumping it into the page body / ajax response body. I've been planning to do this for about 3 years, which is why the plugins are architected the way they are. This should make debugging easier by making response bodies not be 50%+ darkconsole stuff.

Additionally, load the plugins dynamically (the old method predates library maps and PhutilSymbolLoader).

Test Plan:
{F30675}

  - Switched between requests and tabs, reloaded page, saw same tab.
  - Used "analyze queries", "profile page", triggered errors.
  - Verified page does not load anything by default if dark console is closed with Charles.
  - Generally banged on it a bit.

Reviewers: vrana, btrahan, chad

Reviewed By: vrana

CC: aran

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4692
2013-01-28 18:45:32 -08:00