mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 14:00:56 +01:00
f9f8ef0e6e
Summary: Provide an "isAdmin" flag for users, to designate administrative users. Restore the account editing interface and allow it to set role flags and reset passwords. Provide an "isDisabled" flag for users and shut down all system access for them. Test Plan: Created "admin" and "disabled" users. Did administrative things with the admin user. Tried to do stuff with the disabled user and was rebuffed. Tried to access administrative interfaces with a normal non-admin user and was denied. Reviewed By: aran Reviewers: tuomaspelkonen, jungejason, aran CC: ccheever, aran Differential Revision: 278
353 lines
16 KiB
PHP
353 lines
16 KiB
PHP
<?php
|
|
|
|
/*
|
|
* Copyright 2011 Facebook, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
return array(
|
|
|
|
// The root URI which Phabricator is installed on.
|
|
// Example: "http://phabricator.example.com/"
|
|
'phabricator.base-uri' => null,
|
|
|
|
// If you have multiple environments, provide the production environment URI
|
|
// here so that emails, etc., generated in development/sandbox environments
|
|
// contain the right links.
|
|
'phabricator.production-uri' => null,
|
|
|
|
// Setting this to 'true' will invoke a special setup mode which helps guide
|
|
// you through setting up Phabricator.
|
|
'phabricator.setup' => false,
|
|
|
|
// The default PHID for users who haven't uploaded a profile image. It should
|
|
// be 50x50px.
|
|
'user.default-profile-image-phid' => 'PHID-FILE-4d61229816cfe6f2b2a3',
|
|
|
|
// -- DarkConsole ----------------------------------------------------------- //
|
|
|
|
// DarkConsole is a administrative debugging/profiling tool built into
|
|
// Phabricator. You can leave it disabled unless you're developing against
|
|
// Phabricator.
|
|
|
|
// Determines whether or not DarkConsole is available. DarkConsole exposes
|
|
// some data like queries and stack traces, so you should be careful about
|
|
// turning it on in production (although users can not normally see it, even
|
|
// if the deployment configuration enables it).
|
|
'darkconsole.enabled' => false,
|
|
|
|
// Always enable DarkConsole, even for logged out users. This potentially
|
|
// exposes sensitive information to users, so make sure untrusted users can
|
|
// not access an install running in this mode. You should definitely leave
|
|
// this off in production. It is only really useful for using DarkConsole
|
|
// utilties to debug or profile logged-out pages. You must set
|
|
// 'darkconsole.enabled' to use this option.
|
|
'darkconsole.always-on' => false,
|
|
|
|
|
|
// Allows you to mask certain configuration values from appearing in the
|
|
// "Config" tab of DarkConsole.
|
|
'darkconsole.config-mask' => array(
|
|
'mysql.pass',
|
|
'amazon-ses.secret-key',
|
|
'recaptcha.private-key',
|
|
'phabricator.csrf-key',
|
|
'facebook.application-secret',
|
|
'github.application-secret',
|
|
),
|
|
|
|
// -- MySQL --------------------------------------------------------------- //
|
|
|
|
// The username to use when connecting to MySQL.
|
|
'mysql.user' => 'root',
|
|
|
|
// The password to use when connecting to MySQL.
|
|
'mysql.pass' => '',
|
|
|
|
// The MySQL server to connect to.
|
|
'mysql.host' => 'localhost',
|
|
|
|
// -- Email ----------------------------------------------------------------- //
|
|
|
|
// Some Phabricator tools send email notifications, e.g. when Differential
|
|
// revisions are updated or Maniphest tasks are changed. These options allow
|
|
// you to configure how email is delivered.
|
|
|
|
// You can test your mail setup by going to "MetaMTA" in the web interface,
|
|
// clicking "Send New Message", and then composing a message.
|
|
|
|
// Default address to send mail "From".
|
|
'metamta.default-address' => 'noreply@example.com',
|
|
|
|
// Domain used to generate Message-IDs.
|
|
'metamta.domain' => 'example.com',
|
|
|
|
// When a user takes an action which generates an email notification (like
|
|
// commenting on a Differential revision), Phabricator can either send that
|
|
// mail "From" the user's email address (like "alincoln@logcabin.com") or
|
|
// "From" the 'metamta.default-address' address. The user experience is
|
|
// generally better if Phabricator uses the user's real address as the "From"
|
|
// since the messages are easier to organize when they appear in mail clients,
|
|
// but this will only work if the server is authorized to send email on behalf
|
|
// of the "From" domain. Practically, this means:
|
|
// - If you are doing an install for Example Corp and all the users will
|
|
// have corporate @corp.example.com addresses and any hosts Phabricator
|
|
// is running on are authorized to send email from corp.example.com,
|
|
// you can enable this to make the user experience a little better.
|
|
// - If you are doing an install for an open source project and your
|
|
// users will be registering via Facebook and using personal email
|
|
// addresses, you MUST NOT enable this or virtually all of your outgoing
|
|
// email will vanish into SFP blackholes.
|
|
// - If your install is anything else, you're much safer leaving this
|
|
// off since the risk in turning it on is that your outgoing mail will
|
|
// mostly never arrive.
|
|
'metamta.can-send-as-user' => false,
|
|
|
|
// Adapter class to use to transmit mail to the MTA. The default uses
|
|
// PHPMailerLite, which will invoke "sendmail". This is appropriate
|
|
// if sendmail actually works on your host, but if you haven't configured mail
|
|
// it may not be so great. You can also use Amazon SES, by changing this to
|
|
// 'PhabricatorMailImplementationAmazonSESAdapter', signing up for SES, and
|
|
// filling in your 'amazon-ses.access-key' and 'amazon-ses.secret-key' below.
|
|
'metamta.mail-adapter' =>
|
|
'PhabricatorMailImplementationPHPMailerLiteAdapter',
|
|
|
|
// When email is sent, try to hand it off to the MTA immediately. This may
|
|
// be worth disabling if your MTA infrastructure is slow or unreliable. If you
|
|
// disable this option, you must run the 'metamta_mta.php' daemon or mail
|
|
// won't be handed off to the MTA. If you're using Amazon SES it can be a
|
|
// little slugish sometimes so it may be worth disabling this and moving to
|
|
// the daemon after you've got your install up and running. If you have a
|
|
// properly configured local MTA it should not be necessary to disable this.
|
|
'metamta.send-immediately' => true,
|
|
|
|
// If you're using Amazon SES to send email, provide your AWS access key
|
|
// and AWS secret key here. To set up Amazon SES with Phabricator, you need
|
|
// to:
|
|
// - Make sure 'metamta.mail-adapter' is set to:
|
|
// "PhabricatorMailImplementationAmazonSESAdapter"
|
|
// - Make sure 'metamta.can-send-as-user' is false.
|
|
// - Make sure 'metamta.default-address' is configured to something sensible.
|
|
// - Make sure 'metamta.default-address' is a validated SES "From" address.
|
|
'amazon-ses.access-key' => null,
|
|
'amazon-ses.secret-key' => null,
|
|
|
|
// You can configure a reply handler domain so that email sent from Maniphest
|
|
// will have a special "Reply To" address like "T123+82+af19f@example.com"
|
|
// that allows recipients to reply by email and interact with tasks. For
|
|
// instructions on configurating reply handlers, see the article
|
|
// "Configuring Inbound Email" in the Phabricator documentation. By default,
|
|
// this is set to 'null' and Phabricator will use a generic 'noreply@' address
|
|
// or the address of the acting user instead of a special reply handler
|
|
// address (see 'metamta.default-address'). If you set a domain here,
|
|
// Phabricator will begin generating private reply handler addresses. See
|
|
// also 'metamta.maniphest.reply-handler' to further configure behavior.
|
|
// This key should be set to the domain part after the @, like "example.com".
|
|
'metamta.maniphest.reply-handler-domain' => null,
|
|
|
|
// You can follow the instructions in "Configuring Inbound Email" in the
|
|
// Phabricator documentation and set 'metamta.maniphest.reply-handler-domain'
|
|
// to support updating Maniphest tasks by email. If you want more advanced
|
|
// customization than this provides, you can override the reply handler
|
|
// class with an implementation of your own. This will allow you to do things
|
|
// like have a single public reply handler or change how private reply
|
|
// handlers are generated and validated.
|
|
// This key should be set to a loadable subclass of
|
|
// PhabricatorMailReplyHandler (and possibly of ManiphestReplyHandler).
|
|
'metamta.maniphest.reply-handler' => 'ManiphestReplyHandler',
|
|
|
|
// See 'metamta.maniphest.reply-handler-domain'. This does the same thing,
|
|
// but allows email replies via Differential.
|
|
'metamta.differential.reply-handler-domain' => null,
|
|
|
|
// See 'metamta.maniphest.reply-handler'. This does the same thing, but
|
|
// affects Differential.
|
|
'metamta.differential.reply-handler' => 'DifferentialReplyHandler',
|
|
|
|
|
|
// -- Auth ------------------------------------------------------------------ //
|
|
|
|
// Can users login with a username/password, or by following the link from
|
|
// a password reset email? You can disable this and configure one or more
|
|
// OAuth providers instead.
|
|
'auth.password-auth-enabled' => true,
|
|
|
|
|
|
// -- Accounts -------------------------------------------------------------- //
|
|
|
|
// Is basic account information (email, real name, profile picture) editable?
|
|
// If you set up Phabricator to automatically synchronize account information
|
|
// from some other authoritative system, you can disable this to ensure
|
|
// information remains consistent across both systems.
|
|
'account.editable' => true,
|
|
|
|
|
|
// -- Facebook ------------------------------------------------------------ //
|
|
|
|
// Can users use Facebook credentials to login to Phabricator?
|
|
'facebook.auth-enabled' => false,
|
|
|
|
// Can users use Facebook credentials to create new Phabricator accounts?
|
|
'facebook.registration-enabled' => true,
|
|
|
|
// Are Facebook accounts permanently linked to Phabricator accounts, or can
|
|
// the user unlink them?
|
|
'facebook.auth-permanent' => false,
|
|
|
|
// The Facebook "Application ID" to use for Facebook API access.
|
|
'facebook.application-id' => null,
|
|
|
|
// The Facebook "Application Secret" to use for Facebook API access.
|
|
'facebook.application-secret' => null,
|
|
|
|
|
|
// -- Github ---------------------------------------------------------------- //
|
|
|
|
// Can users use Github credentials to login to Phabricator?
|
|
'github.auth-enabled' => false,
|
|
|
|
// Can users use Github credentials to create new Phabricator accounts?
|
|
'github.registration-enabled' => true,
|
|
|
|
// Are Github accounts permanently linked to Phabricator accounts, or can
|
|
// the user unlink them?
|
|
'github.auth-permanent' => false,
|
|
|
|
// The Github "Client ID" to use for Github API access.
|
|
'github.application-id' => null,
|
|
|
|
// The Github "Secret" to use for Github API access.
|
|
'github.application-secret' => null,
|
|
|
|
|
|
// -- Recaptcha ------------------------------------------------------------- //
|
|
|
|
// Is Recaptcha enabled? If disabled, captchas will not appear.
|
|
'recaptcha.enabled' => false,
|
|
|
|
// Your Recaptcha public key, obtained from Recaptcha.
|
|
'recaptcha.public-key' => null,
|
|
|
|
// Your Recaptcha private key, obtained from Recaptcha.
|
|
'recaptcha.private-key' => null,
|
|
|
|
|
|
// -- Misc ------------------------------------------------------------------ //
|
|
|
|
// This is hashed with other inputs to generate CSRF tokens. If you want, you
|
|
// can change it to some other string which is unique to your install. This
|
|
// will make your install more secure in a vague, mostly theoretical way. But
|
|
// it will take you like 3 seconds of mashing on your keyboard to set it up so
|
|
// you might as well.
|
|
'phabricator.csrf-key' => '0b7ec0592e0a2829d8b71df2fa269b2c6172eca3',
|
|
|
|
// This is hashed with other inputs to generate mail tokens. If you want, you
|
|
// can change it to some other string which is unique to your install. In
|
|
// particular, you will want to do this if you accidentally send a bunch of
|
|
// mail somewhere you shouldn't have, to invalidate all old reply-to
|
|
// addresses.
|
|
'phabricator.mail-key' => '5ce3e7e8787f6e40dfae861da315a5cdf1018f12',
|
|
|
|
// Version string displayed in the footer. You probably should leave this
|
|
// alone.
|
|
'phabricator.version' => 'UNSTABLE',
|
|
|
|
// PHP requires that you set a timezone in your php.ini before using date
|
|
// functions, or it will emit a warning. If this isn't possible (for instance,
|
|
// because you are using HPHP) you can set some valid constant for
|
|
// date_default_timezone_set() here and Phabricator will set it on your
|
|
// behalf, silencing the warning.
|
|
'phabricator.timezone' => null,
|
|
|
|
|
|
// Phabricator can highlight PHP by default, but if you want syntax
|
|
// highlighting for other languages you should install the python package
|
|
// 'Pygments', make sure the 'pygmentize' script is available in the
|
|
// $PATH of the webserver, and then enable this.
|
|
'pygments.enabled' => false,
|
|
|
|
|
|
// -- Files ----------------------------------------------------------------- //
|
|
|
|
// Lists which uploaded file types may be viewed in the browser. If a file
|
|
// has a mime type which does not appear in this list, it will always be
|
|
// downloaded instead of displayed. This is a security consideration: if a
|
|
// user uploads a file of type "text/html" and it is displayed as
|
|
// "text/html", they can eaily execute XSS attacks. This is also a usability
|
|
// consideration, since browsers tend to freak out when viewing enormous
|
|
// binary files.
|
|
//
|
|
// The keys in this array are viewable mime types; the values are the mime
|
|
// types they will be delivered as when they are viewed in the browser.
|
|
'files.viewable-mime-types' => array(
|
|
'image/jpeg' => 'image/jpeg',
|
|
'image/jpg' => 'image/jpg',
|
|
'image/png' => 'image/png',
|
|
'image/gif' => 'image/gif',
|
|
'text/plain' => 'text/plain; charset=utf-8',
|
|
),
|
|
|
|
// Phabricator can proxy images from other servers so you can paste the URI
|
|
// to a funny picture of a cat into the comment box and have it show up as an
|
|
// image. However, this means the webserver Phabricator is running on will
|
|
// make HTTP requests to arbitrary URIs. If the server has access to internal
|
|
// resources, this could be a security risk. You should only enable it if you
|
|
// are installed entirely a VPN and VPN access is required to access
|
|
// Phabricator, or if the webserver has no special access to anything. If
|
|
// unsure, it is safer to leave this disabled.
|
|
'files.enable-proxy' => false,
|
|
|
|
// -- Differential ---------------------------------------------------------- //
|
|
|
|
'differential.revision-custom-detail-renderer' => null,
|
|
|
|
|
|
// -- Maniphest ------------------------------------------------------------- //
|
|
|
|
'maniphest.enabled' => true,
|
|
|
|
// -- Customization --------------------------------------------------------- //
|
|
|
|
// Paths to additional phutil libraries to load.
|
|
'load-libraries' => array(),
|
|
|
|
'aphront.default-application-configuration-class' =>
|
|
'AphrontDefaultApplicationConfiguration',
|
|
|
|
'controller.oauth-registration' =>
|
|
'PhabricatorOAuthDefaultRegistrationController',
|
|
|
|
|
|
// Directory that phd (the Phabricator daemon control script) should use to
|
|
// track running daemons.
|
|
'phd.pid-directory' => '/var/tmp/phd',
|
|
|
|
// This value is an input to the hash function when building resource hashes.
|
|
// It has no security value, but if you accidentally poison user caches (by
|
|
// pushing a bad patch or having something go wrong with a CDN, e.g.) you can
|
|
// change this to something else and rebuild the Celerity map to break user
|
|
// caches. Unless you are doing Celerity development, it is exceptionally
|
|
// unlikely that you need to modify this.
|
|
'celerity.resource-hash' => 'd9455ea150622ee044f7931dabfa52aa',
|
|
|
|
// In a development environment, it is desirable to force static resources
|
|
// (CSS and JS) to be read from disk on every request, so that edits to them
|
|
// appear when you reload the page even if you haven't updated the resource
|
|
// maps. This setting ensures requests will be verified against the state on
|
|
// disk. Generally, you should leave this off in production (caching behavior
|
|
// and performance improve with it off) but turn it on in development. (These
|
|
// settings are the defaults.)
|
|
'celerity.force-disk-reads' => false,
|
|
|
|
);
|