phorge-phorge

mirror of https://we.phorge.it/source/phorge.git synced 2024-11-22 14:52:41 +01:00

No description

Find a file

epriestley 28ee6b8080 Consistently require MFA on the actual user creation flow Summary: See <https://hackerone.com/reports/351361>. We currently require MFA on the screen leading into the user create flow, but not the actual create flow. That is, `/people/create/` (which is just a "choose a type of account" page) requires MFA, but `/people/new/<type>/` does not, even though this is the actual creation page. Requiring MFA to create users isn't especially critical: creating users isn't really a dangerous action. The major threat is probably just that an attacker can extend their access to an install by creating an account which they have credentials for. It also isn't consistently enforced: you can invite users or approve users without an MFA check. So there's an argument for just removing the check. However, I think the check is probably reasonable and that we'd likely prefer to add some more checks eventually (e.g., require MFA to approve or invite) since these actions are rare and could represent useful tools for an attacker even if they are not especially dangerous on their own. This is also the only way to create bot or mailing list accounts, so this check does //something// on its own, at least. Test Plan: - Visited `/people/new/standard/` as an admin with MFA configured. - Before patch: no MFA prompt. - After patch: MFA prompt. Reviewers: amckinley Reviewed By: amckinley Differential Revision: https://secure.phabricator.com/D19448		2018-05-14 12:03:07 -07:00
bin	Add a "lock log" for debugging where locks are being held	2018-03-05 17:55:34 -08:00
conf	Support "ssl.chain" in Aphlict configuration	2016-04-14 10:41:21 -07:00
externals	Add profile images to Repositories	2017-06-12 07:51:39 -07:00
resources	Fix "arc paste" to stop creating pastes with an empty string ("") as the "language"	2018-05-09 13:22:58 -07:00
scripts	Update install_ubuntu.sh to the new age	2018-04-21 09:57:33 -07:00
src	Consistently require MFA on the actual user creation flow	2018-05-14 12:03:07 -07:00
support	Always setlocale() to en_US.UTF-8 for the main process	2018-02-05 12:23:06 -08:00
webroot	Fix "arc paste" to stop creating pastes with an empty string ("") as the "language"	2018-05-09 13:22:58 -07:00
.arcconfig	Set "history.immutable" to "false" explicitly in .arcconfig	2016-08-03 08:12:49 -07:00
.arclint	Begin adding test coverage to GitHub Events API parsers	2016-03-09 09:30:07 -08:00
.arcunit	Use the configuration driven unit test engine	2015-08-11 07:57:11 +10:00
.editorconfig	Fix text lint issues	2015-02-12 07:00:13 +11:00
.gitignore	Make i18n string extraction faster and more flexible	2016-07-04 10:23:30 -07:00
LICENSE	Fix text lint issues	2015-02-12 07:00:13 +11:00
NOTICE	Update Phabricator NOTICE file to reflect modern legal circumstances	2014-06-25 13:42:13 -07:00
README.md	Remove push to IRC from "readme.md" too	2015-10-24 18:39:16 -07:00

README.md

Phabricator is a collection of web applications which help software companies build better software.

Phabricator includes applications for:

reviewing and auditing source code;
hosting and browsing repositories;
tracking bugs;
managing projects;
conversing with team members;
assembling a party to venture forth;
writing stuff down and reading it later;
hiding stuff from coworkers; and
also some other things.

You can learn more about the project (and find links to documentation and resources) at Phabricator.org

Phabricator is developed and maintained by Phacility.

SUPPORT RESOURCES

For resources on filing bugs, requesting features, reporting security issues, and getting other kinds of support, see Support Resources.

NO PULL REQUESTS!

We do not accept pull requests through GitHub. If you would like to contribute code, please read our Contributor's Guide.

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.