Differential D19886 Diff 47498 src/aphront/handler/PhabricatorHighSecurityRequestExceptionHandler.php
Changeset View
Changeset View
Standalone View
Standalone View
src/aphront/handler/PhabricatorHighSecurityRequestExceptionHandler.php
| Show All 23 Lines | public function canHandleRequestThrowable( | ||||
| return ($throwable instanceof PhabricatorAuthHighSecurityRequiredException); | return ($throwable instanceof PhabricatorAuthHighSecurityRequiredException); | ||||
| } | } | ||||
| public function handleRequestThrowable( | public function handleRequestThrowable( | ||||
| AphrontRequest $request, | AphrontRequest $request, | ||||
| $throwable) { | $throwable) { | ||||
| $viewer = $this->getViewer($request); | $viewer = $this->getViewer($request); | ||||
| $results = $throwable->getFactorValidationResults(); | |||||
| $form = id(new PhabricatorAuthSessionEngine())->renderHighSecurityForm( | $form = id(new PhabricatorAuthSessionEngine())->renderHighSecurityForm( | ||||
| $throwable->getFactors(), | $throwable->getFactors(), | ||||
| $throwable->getFactorValidationResults(), | $results, | ||||
| $viewer, | $viewer, | ||||
| $request); | $request); | ||||
| $is_wait = false; | |||||
| foreach ($results as $result) { | |||||
| if ($result->getIsWait()) { | |||||
| $is_wait = true; | |||||
| break; | |||||
| } | |||||
| } | |||||
| if ($is_wait) { | |||||
| $submit = pht('Wait Patiently'); | |||||
amckinley: Should this dialogue be scarier? "Another Phabricator session of yours is currently proceeding… | |||||
Done Inline ActionsI think this will probably happen reasonably often (log out + log in within a couple minutes, two browsers, or desktop + mobile) in the wild and probably doesn't mean anything ~100% of the time. It could mean something bad but I'm wary about crying wolf and we can't really give the user very good next steps other than "tell someone", and that someone is just going to ignore them after the first three times it happens I think. (It's maybe worth looking at more awareness around sessions in general, e.g. login alerts, at some point -- those are actionable, and could do a better job of covering this. "Bind session to IP" also has a task somewhere and would help.) epriestley: I //think// this will probably happen reasonably often (log out + log in within a couple… | |||||
| } else { | |||||
| $submit = pht('Enter High Security'); | |||||
| } | |||||
| $dialog = id(new AphrontDialogView()) | $dialog = id(new AphrontDialogView()) | ||||
| ->setUser($viewer) | ->setUser($viewer) | ||||
| ->setTitle(pht('Entering High Security')) | ->setTitle(pht('Entering High Security')) | ||||
| ->setShortTitle(pht('Security Checkpoint')) | ->setShortTitle(pht('Security Checkpoint')) | ||||
| ->setWidth(AphrontDialogView::WIDTH_FORM) | ->setWidth(AphrontDialogView::WIDTH_FORM) | ||||
| ->addHiddenInput(AphrontRequest::TYPE_HISEC, true) | ->addHiddenInput(AphrontRequest::TYPE_HISEC, true) | ||||
| ->setErrors( | ->setErrors( | ||||
| array( | array( | ||||
| Show All 10 Lines | $dialog = id(new AphrontDialogView()) | ||||
| ->appendChild($form->buildLayoutView()) | ->appendChild($form->buildLayoutView()) | ||||
| ->appendParagraph( | ->appendParagraph( | ||||
| pht( | pht( | ||||
| 'Your account will remain in high security mode for a short '. | 'Your account will remain in high security mode for a short '. | ||||
| 'period of time. When you are finished taking sensitive '. | 'period of time. When you are finished taking sensitive '. | ||||
| 'actions, you should leave high security.')) | 'actions, you should leave high security.')) | ||||
| ->setSubmitURI($request->getPath()) | ->setSubmitURI($request->getPath()) | ||||
| ->addCancelButton($throwable->getCancelURI()) | ->addCancelButton($throwable->getCancelURI()) | ||||
| ->addSubmitButton(pht('Enter High Security')); | ->addSubmitButton($submit); | ||||
| $request_parameters = $request->getPassthroughRequestParameters( | $request_parameters = $request->getPassthroughRequestParameters( | ||||
| $respect_quicksand = true); | $respect_quicksand = true); | ||||
| foreach ($request_parameters as $key => $value) { | foreach ($request_parameters as $key => $value) { | ||||
| $dialog->addHiddenInput($key, $value); | $dialog->addHiddenInput($key, $value); | ||||
| } | } | ||||
| return $dialog; | return $dialog; | ||||
| } | } | ||||
| } | } | ||||
Should this dialogue be scarier? "Another Phabricator session of yours is currently proceeding through an MFA challenge; if this is surprising to you, you should probably call your CISO and/or move to Belize," or similar.