1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-16 03:42:41 +01:00
Commit graph

114 commits

Author SHA1 Message Date
epriestley
ed33e59c5a Fix login issue with stale HTTP vs HTTPS cookies
Summary:
In D758, I tightened the scope for which we issue cookies. Instead of setting
them on the whole domain we set them only on the subdomain, and we set them as
HTTPS only if the install is HTTPS.

However, this can leave the user with a stale HTTP cookie which the browser
sends and which never gets cleared. Handle this situation by:

  - Clear all four <domain, https> pairs when clearing cookies ("nuke it from
orbit").
  - Clear 'phsid' cookies when they're invalid.

Test Plan: Applied a hackier version of this patch to secure.phabricator.com and
was able to login with a stale HTTP cookie.

Reviewers: jungejason, tuomaspelkonen, aran

Reviewed By: jungejason

CC: aran, jungejason

Differential Revision: 838
2011-08-19 14:09:41 -07:00
epriestley
3c30ea41f1 Enable multiple web sessions
Summary:
Conduit already has multiple-session code, just move it to the main
establishSession() method and set a web session limit larger than 1.

NOTE: This will log everyone out since we no longer look for the "web" session,
only for "web-1", "web-2", ..., etc. Presumably this doesn't matter.

Test Plan:
Applied patch, was logged out. Logged in in Safari. Verified I was issued
"web-1". Logged in in Firefox. Verified I was issued "web-2".

Kept logging in and out until I got issued "web-5", then did it again and was
issued "web-1" with a new key.

Ran conduit methods and verified they work and correctly cycled session keys.

Reviewed By: tuomaspelkonen
Reviewers: tuomaspelkonen, jungejason, aran
Commenters: jungejason
CC: rm, fzamore, ola, aran, epriestley, jungejason, tuomaspelkonen
Differential Revision: 264
2011-05-12 18:45:19 -07:00
epriestley
f9f8ef0e6e Admin and disabled flags for users
Summary:
Provide an "isAdmin" flag for users, to designate administrative users.

Restore the account editing interface and allow it to set role flags and reset
passwords.

Provide an "isDisabled" flag for users and shut down all system access for them.

Test Plan:
Created "admin" and "disabled" users. Did administrative things with the admin
user. Tried to do stuff with the disabled user and was rebuffed. Tried to access
administrative interfaces with a normal non-admin user and was denied.

Reviewed By: aran
Reviewers: tuomaspelkonen, jungejason, aran
CC: ccheever, aran
Differential Revision: 278
2011-05-12 11:17:50 -07:00
epriestley
6c32a99012 Automatically redirect 404's that wouldn't be 404s if they had a trailing slash
to their trailing-slash counterparts.
2011-04-04 10:29:46 -07:00
epriestley
ad7a389106 Fix a bug where too many changesets make it to display.
Summary:

Test Plan:

Reviewers:

CC:
2011-03-07 22:02:46 -08:00
epriestley
a100d97ed5 Preserve "next" URI by using OAuth 'state' parameter
Summary:
When a user clicks a link like /T32 and has to login, redirect them
to the resource once they've authenticated if possible. OAuth has a param
specifically for this, called 'state', so use it if possible. Facebook
supports it but Github does not.

Test Plan:
logged in with facebook after viewing /D20

Reviewed By: aran
Reviewers: aran
CC: aran, epriestley
Differential Revision: 61
2011-03-07 22:00:57 -08:00
epriestley
de2a9c634c Differential lazyweb diff create workflow. 2011-02-05 12:20:18 -08:00
epriestley
addfe3aa79 DarkConsole toggle, workflow behavior. 2011-02-05 11:45:13 -08:00
epriestley
c93dd9c090 Flesh out some DarkConsole stuff. 2011-02-02 22:38:42 -08:00
epriestley
6c37f918b1 Somewhat proper 404 page, plus HTTP response code. 2011-01-30 08:44:28 -08:00
epriestley
9f04548ab9 I guess this can support JS too. 2011-01-30 08:33:40 -08:00
epriestley
ccf7df6093 Authentication 2011-01-26 15:34:20 -08:00
epriestley
2c7e71cac5 Introduce PHID generation. 2011-01-22 22:07:59 -08:00
Evan Priestley
eecc003a62 More phabricator organizational stuff. 2011-01-22 18:00:19 -08:00