diff --git a/src/applications/people/controller/PhabricatorPeopleRenameController.php b/src/applications/people/controller/PhabricatorPeopleRenameController.php --- a/src/applications/people/controller/PhabricatorPeopleRenameController.php +++ b/src/applications/people/controller/PhabricatorPeopleRenameController.php @@ -17,14 +17,9 @@ $done_uri = $this->getApplicationURI("manage/{$id}/"); - id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession( - $viewer, - $request, - $done_uri); - $validation_exception = null; $username = $user->getUsername(); - if ($request->isFormPost()) { + if ($request->isFormOrHisecPost()) { $username = $request->getStr('username'); $xactions = array(); @@ -36,6 +31,7 @@ $editor = id(new PhabricatorUserTransactionEditor()) ->setActor($viewer) ->setContentSourceFromRequest($request) + ->setCancelURI($done_uri) ->setContinueOnMissingFields(true); try { diff --git a/src/applications/people/xaction/PhabricatorUserUsernameTransaction.php b/src/applications/people/xaction/PhabricatorUserUsernameTransaction.php --- a/src/applications/people/xaction/PhabricatorUserUsernameTransaction.php +++ b/src/applications/people/xaction/PhabricatorUserUsernameTransaction.php @@ -89,4 +89,11 @@ return null; } + + public function shouldTryMFA( + $object, + PhabricatorApplicationTransaction $xaction) { + return true; + } + } diff --git a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php --- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php +++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php @@ -4906,20 +4906,47 @@ PhabricatorLiskDAO $object, array $xactions) { - $is_mfa = ($object instanceof PhabricatorEditEngineMFAInterface); - if (!$is_mfa) { - return $xactions; + $has_engine = ($object instanceof PhabricatorEditEngineMFAInterface); + if ($has_engine) { + $engine = PhabricatorEditEngineMFAEngine::newEngineForObject($object) + ->setViewer($this->getActor()); + $require_mfa = $engine->shouldRequireMFA(); + $try_mfa = $engine->shouldTryMFA(); + } else { + $require_mfa = false; + $try_mfa = false; } - $engine = PhabricatorEditEngineMFAEngine::newEngineForObject($object) - ->setViewer($this->getActor()); - $require_mfa = $engine->shouldRequireMFA(); + // If the user is mentioning an MFA object on another object or creating + // a relationship like "parent" or "child" to this object, we always + // allow the edit to move forward without requiring MFA. + if ($this->getIsInverseEdgeEditor()) { + return $xactions; + } if (!$require_mfa) { - $try_mfa = $engine->shouldTryMFA(); + // If the object hasn't already opted into MFA, see if any of the + // transactions want it. + if (!$try_mfa) { + foreach ($xactions as $xaction) { + $type = $xaction->getTransactionType(); + + $xtype = $this->getModularTransactionType($type); + if ($xtype) { + $xtype = clone $xtype; + $xtype->setStorage($xaction); + if ($xtype->shouldTryMFA($object, $xaction)) { + $try_mfa = true; + break; + } + } + } + } + if ($try_mfa) { $this->setShouldRequireMFA(true); } + return $xactions; } @@ -4937,13 +4964,6 @@ return $xactions; } - // If the user is mentioning an MFA object on another object or creating - // a relationship like "parent" or "child" to this object, we allow the - // edit to move forward without requiring MFA. - if ($this->getIsInverseEdgeEditor()) { - return $xactions; - } - $template = $object->getApplicationTransactionTemplate(); $mfa_xaction = id(clone $template) diff --git a/src/applications/transactions/storage/PhabricatorModularTransactionType.php b/src/applications/transactions/storage/PhabricatorModularTransactionType.php --- a/src/applications/transactions/storage/PhabricatorModularTransactionType.php +++ b/src/applications/transactions/storage/PhabricatorModularTransactionType.php @@ -425,4 +425,10 @@ return PhabricatorPolicyCapability::CAN_EDIT; } + public function shouldTryMFA( + $object, + PhabricatorApplicationTransaction $xaction) { + return false; + } + }