Make many actions require high security

Summary: Ref T4398. Protects these actions behind a security barrier: - Link external account. - Retrieve Conduit token. - Reveal Passphrase credential. - Create user. - Admin/de-admin user. - Rename user. - Show conduit certificate. - Make primary email. - Change password. - Change VCS password. - Add SSH key. - Generate SSH key. Test Plan: Tried to take each action and was prompted for two-factor. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8921
2014-04-30 17:44:59 -07:00
parent cf3f8cd809
commit 3fde020049
11 changed files with 56 additions and 1 deletions
--- a/src/applications/auth/controller/PhabricatorAuthLinkController.php
+++ b/src/applications/auth/controller/PhabricatorAuthLinkController.php
@@ -83,6 +83,11 @@ final class PhabricatorAuthLinkController

    switch ($this->action) {
      case 'link':
+        id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
+          $viewer,
+          $request,
+          $panel_uri);
+
        $form = $provider->buildLinkForm($this);
        break;
      case 'refresh':