Page MenuHomePhabricator

Add configuration to lock auth/user creation, or to lock application policies
Closed, ResolvedPublic


This isn't blocking anything, but is parallelizable.

On Phacility instances, we need to prevent users from making some classes of changes to the instance. Some of this we can already lock, but some if it we can't. I think the cleanest way forward is to introduce options:

  • lock.auth Prevents any authentication provider from being added, edited, or removed. We need this because we don't want users on instances unless they also have a account, so we can send them to the correct instance when they log in to the administrative UI by accident. Instances will be configured with only an OAuth2 provider pointed at, and this should be immutable.
  • lock.users Prevent creation or import of users via admin tools. Administrators need to use options on to do this.

I actually think that might be all we need.

These options should be low-level (e.g., in TransactionEditors if possible) and there doesn't need to be a way to disable them -- the scripts which are synchronizing this stuff can use PhabricatorScopedEnv to bypass the options.

Another approach, which might be cleaner, would be:

  • Add a "Can Manage Providers" application-level policy to Auth.
  • Add a "Can Create Users" application-level policy to People.
  • Add a policy.locked (or similar) config option to let us lock specific application policies so they can not be edited.

That would be more flexible and maybe better? Not sure.

Event Timeline

epriestley assigned this task to btrahan.
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added a project: Phacility.
epriestley moved this task from Backlog to v0 Closed Beta on the Phacility board.
epriestley added a subscriber: epriestley.

I think the second approach sounds better, so approaching things that way.