Skip to content

Commit 3fde020

Browse files
author
epriestley
committed
Make many actions require high security
Summary: Ref T4398. Protects these actions behind a security barrier: - Link external account. - Retrieve Conduit token. - Reveal Passphrase credential. - Create user. - Admin/de-admin user. - Rename user. - Show conduit certificate. - Make primary email. - Change password. - Change VCS password. - Add SSH key. - Generate SSH key. Test Plan: Tried to take each action and was prompted for two-factor. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8921
1 parent cf3f8cd commit 3fde020

11 files changed

+56
-1
lines changed

src/applications/auth/controller/PhabricatorAuthLinkController.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,11 @@ public function processRequest() {
8383

8484
switch ($this->action) {
8585
case 'link':
86+
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
87+
$viewer,
88+
$request,
89+
$panel_uri);
90+
8691
$form = $provider->buildLinkForm($this);
8792
break;
8893
case 'refresh':

src/applications/conduit/controller/PhabricatorConduitTokenController.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,13 @@ final class PhabricatorConduitTokenController
77
extends PhabricatorConduitController {
88

99
public function processRequest() {
10-
1110
$user = $this->getRequest()->getUser();
1211

12+
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
13+
$user,
14+
$this->getRequest(),
15+
'/');
16+
1317
// Ideally we'd like to verify this, but it's fine to leave it unguarded
1418
// for now and verifying it would need some Ajax junk or for the user to
1519
// click a button or similar.

src/applications/diffusion/panel/DiffusionSetPasswordPanel.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,11 @@ public function processRequest(AphrontRequest $request) {
2626
$viewer = $request->getUser();
2727
$user = $this->getUser();
2828

29+
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
30+
$viewer,
31+
$request,
32+
'/settings/');
33+
2934
$vcspassword = id(new PhabricatorRepositoryVCSPassword())
3035
->loadOneWhere(
3136
'userPHID = %s',

src/applications/passphrase/controller/PassphraseCredentialRevealController.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,11 @@ public function processRequest() {
2929

3030
$view_uri = '/K'.$credential->getID();
3131

32+
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
33+
$viewer,
34+
$request,
35+
$view_uri);
36+
3237
if ($request->isFormPost()) {
3338
if ($credential->getSecret()) {
3439
$body = id(new PHUIFormLayoutView())

src/applications/people/controller/PhabricatorPeopleCreateController.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,11 @@ public function processRequest() {
77
$request = $this->getRequest();
88
$admin = $request->getUser();
99

10+
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
11+
$admin,
12+
$request,
13+
$this->getApplicationURI());
14+
1015
$v_type = 'standard';
1116
if ($request->isFormPost()) {
1217
$v_type = $request->getStr('type');

src/applications/people/controller/PhabricatorPeopleEmpowerController.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,11 @@ public function processRequest() {
2323

2424
$profile_uri = '/p/'.$user->getUsername().'/';
2525

26+
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
27+
$admin,
28+
$request,
29+
$profile_uri);
30+
2631
if ($user->getPHID() == $admin->getPHID()) {
2732
return $this->newDialog()
2833
->setTitle(pht('Your Way is Blocked'))

src/applications/people/controller/PhabricatorPeopleRenameController.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,11 @@ public function processRequest() {
2323

2424
$profile_uri = '/p/'.$user->getUsername().'/';
2525

26+
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
27+
$admin,
28+
$request,
29+
$profile_uri);
30+
2631
$errors = array();
2732

2833
$v_username = $user->getUsername();

src/applications/settings/panel/PhabricatorSettingsPanelConduit.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,11 @@ public function processRequest(AphrontRequest $request) {
2323
$user = $this->getUser();
2424
$viewer = $request->getUser();
2525

26+
id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
27+
$viewer,
28+
$request,
29+
'/settings/');
30+
2631
if ($request->isFormPost()) {
2732
if (!$request->isDialogFormPost()) {
2833
$dialog = new AphrontDialogView();

src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -330,6 +330,11 @@ private function returnPrimaryAddressResponse(
330330

331331
$user = $request->getUser();
332332

333+
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
334+
$user,
335+
$request,
336+
$this->getPanelURI());
337+
333338
// NOTE: You can only make your own verified addresses primary.
334339
$email = id(new PhabricatorUserEmail())->loadOneWhere(
335340
'id = %d AND userPHID = %s AND isVerified = 1 AND isPrimary = 0',

src/applications/settings/panel/PhabricatorSettingsPanelPassword.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,11 @@ public function isEnabled() {
3535
public function processRequest(AphrontRequest $request) {
3636
$user = $request->getUser();
3737

38+
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
39+
$user,
40+
$request,
41+
'/settings/');
42+
3843
$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
3944
$min_len = (int)$min_len;
4045

src/applications/settings/panel/PhabricatorSettingsPanelSSHKeys.php

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -276,6 +276,12 @@ private function processGenerate(AphrontRequest $request) {
276276
$user = $this->getUser();
277277
$viewer = $request->getUser();
278278

279+
$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
280+
$viewer,
281+
$request,
282+
$this->getPanelURI());
283+
284+
279285
$is_self = ($user->getPHID() == $viewer->getPHID());
280286

281287
if ($request->isFormPost()) {

0 commit comments

Comments
 (0)