archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Make many actions require high security

Browse Source 
Summary:
Ref T4398. Protects these actions behind a security barrier:

  - Link external account.
  - Retrieve Conduit token.
  - Reveal Passphrase credential.
  - Create user.
  - Admin/de-admin user.
  - Rename user.
  - Show conduit certificate.
  - Make primary email.
  - Change password.
  - Change VCS password.
  - Add SSH key.
  - Generate SSH key.

Test Plan: Tried to take each action and was prompted for two-factor.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D8921
This commit is contained in:
epriestley
2014-04-30 17:44:59 -07:00
parent cf3f8cd809
commit 3fde020049
11 changed files with 56 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/applications/auth/controller/PhabricatorAuthLinkController.php
View File

@@ -83,6 +83,11 @@ final class PhabricatorAuthLinkController
switch ($this->action) { switch ($this->action) {
case 'link': case 'link':
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
$panel_uri);
$form = $provider->buildLinkForm($this); $form = $provider->buildLinkForm($this);
break; break;
case 'refresh': case 'refresh':

6
src/applications/conduit/controller/PhabricatorConduitTokenController.php
View File

@@ -7,9 +7,13 @@ final class PhabricatorConduitTokenController
extends PhabricatorConduitController { extends PhabricatorConduitController {
public function processRequest() { public function processRequest() {
$user = $this->getRequest()->getUser(); $user = $this->getRequest()->getUser();
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$user,
$this->getRequest(),
'/');
// Ideally we'd like to verify this, but it's fine to leave it unguarded // Ideally we'd like to verify this, but it's fine to leave it unguarded
// for now and verifying it would need some Ajax junk or for the user to // for now and verifying it would need some Ajax junk or for the user to
// click a button or similar. // click a button or similar.

5
src/applications/diffusion/panel/DiffusionSetPasswordPanel.php
View File

@@ -26,6 +26,11 @@ final class DiffusionSetPasswordPanel extends PhabricatorSettingsPanel {
$viewer = $request->getUser(); $viewer = $request->getUser();
$user = $this->getUser(); $user = $this->getUser();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
'/settings/');
$vcspassword = id(new PhabricatorRepositoryVCSPassword()) $vcspassword = id(new PhabricatorRepositoryVCSPassword())
->loadOneWhere( ->loadOneWhere(
'userPHID = %s', 'userPHID = %s',

5
src/applications/passphrase/controller/PassphraseCredentialRevealController.php
View File

@@ -29,6 +29,11 @@ final class PassphraseCredentialRevealController
$view_uri = '/K'.$credential->getID(); $view_uri = '/K'.$credential->getID();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
$view_uri);
if ($request->isFormPost()) { if ($request->isFormPost()) {
if ($credential->getSecret()) { if ($credential->getSecret()) {
$body = id(new PHUIFormLayoutView()) $body = id(new PHUIFormLayoutView())

5
src/applications/people/controller/PhabricatorPeopleCreateController.php
View File

@@ -7,6 +7,11 @@ final class PhabricatorPeopleCreateController
$request = $this->getRequest(); $request = $this->getRequest();
$admin = $request->getUser(); $admin = $request->getUser();
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$admin,
$request,
$this->getApplicationURI());
$v_type = 'standard'; $v_type = 'standard';
if ($request->isFormPost()) { if ($request->isFormPost()) {
$v_type = $request->getStr('type'); $v_type = $request->getStr('type');

5
src/applications/people/controller/PhabricatorPeopleEmpowerController.php
View File

@@ -23,6 +23,11 @@ final class PhabricatorPeopleEmpowerController
$profile_uri = '/p/'.$user->getUsername().'/'; $profile_uri = '/p/'.$user->getUsername().'/';
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$admin,
$request,
$profile_uri);
if ($user->getPHID() == $admin->getPHID()) { if ($user->getPHID() == $admin->getPHID()) {
return $this->newDialog() return $this->newDialog()
->setTitle(pht('Your Way is Blocked')) ->setTitle(pht('Your Way is Blocked'))

5
src/applications/people/controller/PhabricatorPeopleRenameController.php
View File

@@ -23,6 +23,11 @@ final class PhabricatorPeopleRenameController
$profile_uri = '/p/'.$user->getUsername().'/'; $profile_uri = '/p/'.$user->getUsername().'/';
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$admin,
$request,
$profile_uri);
$errors = array(); $errors = array();
$v_username = $user->getUsername(); $v_username = $user->getUsername();

5
src/applications/settings/panel/PhabricatorSettingsPanelConduit.php
View File

@@ -23,6 +23,11 @@ final class PhabricatorSettingsPanelConduit
$user = $this->getUser(); $user = $this->getUser();
$viewer = $request->getUser(); $viewer = $request->getUser();
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
'/settings/');
if ($request->isFormPost()) { if ($request->isFormPost()) {
if (!$request->isDialogFormPost()) { if (!$request->isDialogFormPost()) {
$dialog = new AphrontDialogView(); $dialog = new AphrontDialogView();

5
src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php
View File

@@ -330,6 +330,11 @@ final class PhabricatorSettingsPanelEmailAddresses
$user = $request->getUser(); $user = $request->getUser();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$user,
$request,
$this->getPanelURI());
// NOTE: You can only make your own verified addresses primary. // NOTE: You can only make your own verified addresses primary.
$email = id(new PhabricatorUserEmail())->loadOneWhere( $email = id(new PhabricatorUserEmail())->loadOneWhere(
'id = %d AND userPHID = %s AND isVerified = 1 AND isPrimary = 0', 'id = %d AND userPHID = %s AND isVerified = 1 AND isPrimary = 0',

5
src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
View File

@@ -35,6 +35,11 @@ final class PhabricatorSettingsPanelPassword
public function processRequest(AphrontRequest $request) { public function processRequest(AphrontRequest $request) {
$user = $request->getUser(); $user = $request->getUser();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$user,
$request,
'/settings/');
$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length'); $min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
$min_len = (int)$min_len; $min_len = (int)$min_len;

6
src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php
View File

@@ -276,6 +276,12 @@ final class PhabricatorSettingsPanelSSHKeys
$user = $this->getUser(); $user = $this->getUser();
$viewer = $request->getUser(); $viewer = $request->getUser();
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
$viewer,
$request,
$this->getPanelURI());
$is_self = ($user->getPHID() == $viewer->getPHID()); $is_self = ($user->getPHID() == $viewer->getPHID());
if ($request->isFormPost()) { if ($request->isFormPost()) {