Changeset View
Changeset View
Standalone View
Standalone View
src/applications/config/check/PhabricatorAuthSetupCheck.php
Show All 16 Lines | protected function executeChecks() { | ||||
// that providers are enabled, available, correctly configured, etc. As | // that providers are enabled, available, correctly configured, etc. As | ||||
// long as they've created some kind of provider in the auth app before, | // long as they've created some kind of provider in the auth app before, | ||||
// they know that it exists and don't need the hint to go check it out. | // they know that it exists and don't need the hint to go check it out. | ||||
$configs = id(new PhabricatorAuthProviderConfigQuery()) | $configs = id(new PhabricatorAuthProviderConfigQuery()) | ||||
->setViewer(PhabricatorUser::getOmnipotentUser()) | ->setViewer(PhabricatorUser::getOmnipotentUser()) | ||||
->execute(); | ->execute(); | ||||
$did_warn = false; | |||||
if (!$configs) { | if (!$configs) { | ||||
$message = pht( | $message = pht( | ||||
'You have not configured any authentication providers yet. You '. | 'You have not configured any authentication providers yet. You '. | ||||
'should add a provider (like username/password, LDAP, or GitHub '. | 'should add a provider (like username/password, LDAP, or GitHub '. | ||||
'OAuth) so users can register and log in. You can add and configure '. | 'OAuth) so users can register and log in. You can add and configure '. | ||||
'providers using the Auth Application.'); | 'providers using the Auth Application.'); | ||||
$this | $this | ||||
->newIssue('auth.noproviders') | ->newIssue('auth.noproviders') | ||||
->setShortName(pht('No Auth Providers')) | ->setShortName(pht('No Auth Providers')) | ||||
->setName(pht('No Authentication Providers Configured')) | ->setName(pht('No Authentication Providers Configured')) | ||||
->setMessage($message) | ->setMessage($message) | ||||
->addLink('/auth/', pht('Auth Application')); | ->addLink('/auth/', pht('Auth Application')); | ||||
$did_warn = true; | |||||
} | |||||
// This check is meant for new administrators, but we don't want to | |||||
// show both this warning and the "No Auth Providers" warning. Also, | |||||
// show this as a reminder to go back and do a `bin/auth lock` after | |||||
// they make their desired changes. | |||||
$is_locked = PhabricatorEnv::getEnvConfig('auth.lock-config'); | |||||
if (!$is_locked && !$did_warn) { | |||||
$message = pht( | |||||
'Your authentication provider configuration is unlocked. Once you '. | |||||
'finish setting up or modifying authentication, you should lock the '. | |||||
'configuration to prevent unauthorized changes.'. | |||||
"\n\n". | |||||
'Leaving your authentication provider configuration unlocked '. | |||||
'increases the damage that a compromised administrator account can '. | |||||
'do to your install, by, for example, changing the authentication '. | |||||
'provider to a server they control and intercepting usernames and '. | |||||
'passwords.'. | |||||
"\n\n". | |||||
'To prevent this attack, you should configure your authentication '. | |||||
'providers, and then lock the configuration by doing `%s` '. | |||||
'from the command line. This will prevent changing the '. | |||||
'authentication provider config without first doing `%s`.', | |||||
'bin/auth lock', | |||||
'bin/auth unlock'); | |||||
$this | |||||
->newIssue('auth.config-unlocked') | |||||
->setShortName(pht('Auth Config Unlocked')) | |||||
->setName(pht('Authenticaton Provider Configuration Unlocked')) | |||||
->setMessage($message) | |||||
->addRelatedPhabricatorConfig('auth.lock-config') | |||||
->addCommand( | |||||
hsprintf( | |||||
'<tt>phabricator/ $</tt> ./bin/auth lock')); | |||||
} | } | ||||
} | } | ||||
} | } | ||||
epriestley: I guess maybe only show this if we aren't show the other setup check (i.e., only show it if we… | |||||
Done Inline ActionsOh, good call. amckinley: Oh, good call. |
I guess maybe only show this if we aren't show the other setup check (i.e., only show it if we have $configs) -- since they sort of follow naturally from one another ("No Configs" -> "Okay, you have configs, now lock them configs").
Maybe phrase this more directly toward a first-time administrator by leading with a specific call to action before motivating that action, e.g.: