Differential D20023

Prevent users from editing, disabling, or swapping their primary contact number while they have SMS MFA
ClosedPublic
Actions

Authored by epriestley on Jan 23 2019, 7:12 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Sat, Nov 9, 4:52 AM

	Unknown Object (File)
	Sat, Nov 9, 4:15 AM

	Unknown Object (File)
	Sat, Nov 9, 4:12 AM

	Unknown Object (File)
	Sat, Nov 9, 3:42 AM

	Unknown Object (File)
	Sat, Nov 9, 2:45 AM

	Unknown Object (File)
	Thu, Oct 24, 9:25 AM

	Unknown Object (File)
	Oct 20 2024, 3:29 AM

	Unknown Object (File)
	Oct 18 2024, 5:35 AM

Subscribers

None

Details

Reviewers

Maniphest Tasks

T13222: 2018 Week 48-51 Bonus Content

Commits

rP7805b217ad8b: Prevent users from editing, disabling, or swapping their primary contact number…

Summary

Depends on D20022. Ref T13222. Since you can easily lock yourself out of your account by swapping to a bad number, prevent contact number edits while "contact number" MFA (today, always SMS) is enabled.

(Another approach would be to bind factors to specific contact numbers, and then prevent that number from being edited or disabled while SMS MFA was attached to it. However, I think that's a bit more complicated and a little more unwieldy, and ends up in about the same place as this. I'd consider it more strongly in the future if we had like 20 users say "I have 9 phones" but I doubt this is a real use case.)

Test Plan

With SMS MFA, tried to edit my primary contact number, disable it, and promote another number to become primary. Got a sensible error message in all cases.
After removing SMS MFA, did all that stuff with no issues.

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

epriestley created this revision.Jan 23 2019, 7:12 PM

Harbormaster completed remote builds in B21648: Diff 47795.Jan 23 2019, 7:14 PM

epriestley requested review of this revision.Jan 23 2019, 7:14 PM

epriestley added a child revision: D20024: Always require MFA to edit contact numbers.Jan 23 2019, 8:00 PM

amckinley accepted this revision.Jan 23 2019, 8:24 PM

This revision is now accepted and ready to land.Jan 23 2019, 8:24 PM

Closed by commit rP7805b217ad8b: Prevent users from editing, disabling, or swapping their primary contact number… (authored by epriestley). · Explain WhyJan 23 2019, 10:18 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

applications/

auth/

controller/

contact/

PhabricatorAuthContactNumberPrimaryController.php

11 lines

factor/

PhabricatorAuthFactor.php

12 lines

PhabricatorSMSAuthFactor.php

4 lines

xaction/

PhabricatorAuthContactNumberNumberTransaction.php

5 lines

PhabricatorAuthContactNumberPrimaryTransaction.php

6 lines

PhabricatorAuthContactNumberStatusTransaction.php

6 lines

PhabricatorAuthContactNumberTransactionType.php

70 lines

Diff 47820

src/applications/auth/controller/contact/PhabricatorAuthContactNumberPrimaryController.php

Loading...

src/applications/auth/factor/PhabricatorAuthFactor.php

Loading...

src/applications/auth/factor/PhabricatorSMSAuthFactor.php

Loading...

src/applications/auth/xaction/PhabricatorAuthContactNumberNumberTransaction.php

Loading...

src/applications/auth/xaction/PhabricatorAuthContactNumberPrimaryTransaction.php

Loading...

src/applications/auth/xaction/PhabricatorAuthContactNumberStatusTransaction.php

Loading...

src/applications/auth/xaction/PhabricatorAuthContactNumberTransactionType.php

Loading...