Allow restriction of permitted email domains
Summary:
Allow allowed email addresses to be restricted to certain domains. This implies email must be verified.
This probably isn't QUITE ready for prime-time without a few other tweaks (better administrative tools, notably) but we're nearly there.
Test Plan:
- With no restrictions:
- Registered with OAuth
- Created an account with accountadmin
- Added an email
- With restrictions:
- Tried to OAuth register with a restricted address, was prompted to provide a valid one.
- Tried to OAuth register with a valid address, worked fine.
- Tried to accountadmin a restricted address, got blocked.
- Tried to accountadmin a valid address, worked fine.
- Tried to add a restricted address, blocked.
- Tried to add a valid address, worked fine.
- Created a user with People with an invalid address, got blocked.
- Created a user with People with a valid address, worked fine.
Reviewers: btrahan, csilvers
Reviewed By: csilvers
CC: aran, joe, csilvers
Maniphest Tasks: T1184
Differential Revision: https://secure.phabricator.com/D2581
This commit is contained in:
epriestley
@@ -36,6 +36,26 @@ final class PhabricatorOAuthDefaultRegistrationController
|
||||
|
||||
$new_email = $provider->retrieveUserEmail();
|
||||
|
||||
if ($new_email) {
|
||||
// If the user's OAuth provider account has an email address but the
|
||||
// email address domain is not allowed by the Phabricator configuration,
|
||||
// we just pretend the provider did not supply an address.
|
||||
//
|
||||
// For instance, if the user uses Google OAuth and their Google address
|
||||
// is "joe@personal.com" but Phabricator is configured to require users
|
||||
// use "@company.com" addresses, we show a prompt below and tell the user
|
||||
// to provide their "@company.com" address. They can still use the OAuth
|
||||
// account to login, they just need to associate their account with an
|
||||
// allowed address.
|
||||
//
|
||||
// If the OAuth address is fine, we just use it and don't prompt the user.
|
||||
if (!PhabricatorUserEmail::isAllowedAddress($new_email)) {
|
||||
$new_email = null;
|
||||
}
|
||||
}
|
||||
|
||||
$show_email_input = ($new_email === null);
|
||||
|
||||
if ($request->isFormPost()) {
|
||||
|
||||
$user->setUsername($request->getStr('username'));
|
||||
@@ -60,6 +80,14 @@ final class PhabricatorOAuthDefaultRegistrationController
|
||||
}
|
||||
}
|
||||
|
||||
if ($new_email) {
|
||||
$email_ok = PhabricatorUserEmail::isAllowedAddress($new_email);
|
||||
if (!$email_ok) {
|
||||
$e_email = 'Invalid';
|
||||
$errors[] = PhabricatorUserEmail::describeAllowedAddresses();
|
||||
}
|
||||
}
|
||||
|
||||
if (!strlen($user->getRealName())) {
|
||||
$user->setRealName($request->getStr('realname'));
|
||||
if (!strlen($user->getRealName())) {
|
||||
@@ -160,16 +188,17 @@ final class PhabricatorOAuthDefaultRegistrationController
|
||||
->setValue($user->getUsername())
|
||||
->setError($e_username));
|
||||
|
||||
if ($provider->retrieveUserEmail() === null) {
|
||||
if ($show_email_input) {
|
||||
$form->appendChild(
|
||||
id(new AphrontFormTextControl())
|
||||
->setLabel('Email')
|
||||
->setName('email')
|
||||
->setValue($request->getStr('email'))
|
||||
->setCaption(PhabricatorUserEmail::describeAllowedAddresses())
|
||||
->setError($e_email));
|
||||
}
|
||||
|
||||
if ($provider->retrieveUserRealName () === null) {
|
||||
if ($provider->retrieveUserRealName() === null) {
|
||||
$form->appendChild(
|
||||
id(new AphrontFormTextControl())
|
||||
->setLabel('Real Name')
|
||||
|
||||
Reference in New Issue
Block a user