Changeset View
Changeset View
Standalone View
Standalone View
src/applications/auth/revoker/PhabricatorAuthPasswordRevoker.php
| <?php | <?php | ||||
| final class PhabricatorAuthPasswordRevoker | final class PhabricatorAuthPasswordRevoker | ||||
| extends PhabricatorAuthRevoker { | extends PhabricatorAuthRevoker { | ||||
| const REVOKERKEY = 'password'; | const REVOKERKEY = 'password'; | ||||
| public function getRevokerName() { | |||||
| return pht('Passwords'); | |||||
| } | |||||
| public function getRevokerDescription() { | |||||
| return pht( | |||||
| "Revokes all stored passwords.\n\n". | |||||
| "Account passwords and VCS passwords (used to access repositories ". | |||||
| "over HTTP) will both be revoked. Passwords for any third party ". | |||||
| "applications which use shared password infrastructure will also ". | |||||
| "be revoked.\n\n". | |||||
| "Users will need to reset account passwords, possibly by using the ". | |||||
| "\"Forgot Password?\" link on the login page. They will also need ". | |||||
| "to reset VCS passwords.\n\n". | |||||
| "Passwords are revoked, not just removed. Users will be unable to ". | |||||
| "select the passwords they used previously and must choose new, ". | |||||
| "unique passwords.\n\n". | |||||
| "Revoking passwords will not terminate outstanding login sessions. ". | |||||
| "Use the \"session\" revoker in conjunction with this revoker to force ". | |||||
| "users to login again."); | |||||
amckinley: This feels weird... if you're responding to a possible compromise, why would you want to revoke… | |||||
| } | |||||
| public function getRevokerNextSteps() { | |||||
| return pht( | |||||
| 'NOTE: Revoking passwords does not terminate existing sessions which '. | |||||
| 'were established using the old passwords. To terminate existing '. | |||||
| 'sessions, run the "session" revoker now.'); | |||||
| } | |||||
| public function revokeAllCredentials() { | public function revokeAllCredentials() { | ||||
| $query = new PhabricatorAuthPasswordQuery(); | $query = new PhabricatorAuthPasswordQuery(); | ||||
| return $this->revokeWithQuery($query); | return $this->revokeWithQuery($query); | ||||
| } | } | ||||
| public function revokeCredentialsFrom($object) { | public function revokeCredentialsFrom($object) { | ||||
| $query = id(new PhabricatorAuthPasswordQuery()) | $query = id(new PhabricatorAuthPasswordQuery()) | ||||
| ->withObjectPHIDs(array($object->getPHID())); | ->withObjectPHIDs(array($object->getPHID())); | ||||
| Show All 37 Lines | |||||
This feels weird... if you're responding to a possible compromise, why would you want to revoke passwords without also terminating sessions?