Page MenuHomePhabricator

Consistently require MFA on the actual user creation flow
ClosedPublic

Authored by epriestley on May 14 2018, 2:06 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 16, 12:02 AM
Unknown Object (File)
Fri, Dec 13, 1:00 AM
Unknown Object (File)
Thu, Dec 12, 1:09 AM
Unknown Object (File)
Fri, Dec 6, 1:51 PM
Unknown Object (File)
Tue, Nov 26, 1:07 PM
Unknown Object (File)
Nov 22 2024, 7:33 PM
Unknown Object (File)
Nov 20 2024, 8:28 PM
Unknown Object (File)
Nov 19 2024, 8:15 PM
Subscribers
None

Details

Summary

See https://hackerone.com/reports/351361. We currently require MFA on the screen leading into the user create flow, but not the actual create flow.

That is, /people/create/ (which is just a "choose a type of account" page) requires MFA, but /people/new/<type>/ does not, even though this is the actual creation page.

Requiring MFA to create users isn't especially critical: creating users isn't really a dangerous action. The major threat is probably just that an attacker can extend their access to an install by creating an account which they have credentials for.

It also isn't consistently enforced: you can invite users or approve users without an MFA check.

So there's an argument for just removing the check. However, I think the check is probably reasonable and that we'd likely prefer to add some more checks eventually (e.g., require MFA to approve or invite) since these actions are rare and could represent useful tools for an attacker even if they are not especially dangerous on their own. This is also the only way to create bot or mailing list accounts, so this check does something on its own, at least.

Test Plan
  • Visited /people/new/standard/ as an admin with MFA configured.
  • Before patch: no MFA prompt.
  • After patch: MFA prompt.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable