Changeset View
Changeset View
Standalone View
Standalone View
src/applications/config/check/PhabricatorAuthSetupCheck.php
| Show All 16 Lines | protected function executeChecks() { | ||||
| // that providers are enabled, available, correctly configured, etc. As | // that providers are enabled, available, correctly configured, etc. As | ||||
| // long as they've created some kind of provider in the auth app before, | // long as they've created some kind of provider in the auth app before, | ||||
| // they know that it exists and don't need the hint to go check it out. | // they know that it exists and don't need the hint to go check it out. | ||||
| $configs = id(new PhabricatorAuthProviderConfigQuery()) | $configs = id(new PhabricatorAuthProviderConfigQuery()) | ||||
| ->setViewer(PhabricatorUser::getOmnipotentUser()) | ->setViewer(PhabricatorUser::getOmnipotentUser()) | ||||
| ->execute(); | ->execute(); | ||||
| $did_warn = false; | |||||
| if (!$configs) { | if (!$configs) { | ||||
| $message = pht( | $message = pht( | ||||
| 'You have not configured any authentication providers yet. You '. | 'You have not configured any authentication providers yet. You '. | ||||
| 'should add a provider (like username/password, LDAP, or GitHub '. | 'should add a provider (like username/password, LDAP, or GitHub '. | ||||
| 'OAuth) so users can register and log in. You can add and configure '. | 'OAuth) so users can register and log in. You can add and configure '. | ||||
| 'providers using the Auth Application.'); | 'providers using the Auth Application.'); | ||||
| $this | $this | ||||
| ->newIssue('auth.noproviders') | ->newIssue('auth.noproviders') | ||||
| ->setShortName(pht('No Auth Providers')) | ->setShortName(pht('No Auth Providers')) | ||||
| ->setName(pht('No Authentication Providers Configured')) | ->setName(pht('No Authentication Providers Configured')) | ||||
| ->setMessage($message) | ->setMessage($message) | ||||
| ->addLink('/auth/', pht('Auth Application')); | ->addLink('/auth/', pht('Auth Application')); | ||||
| $did_warn = true; | |||||
| } | |||||
| // This check is meant for new administrators, but we don't want to | |||||
| // show both this warning and the "No Auth Providers" warning. Also, | |||||
| // show this as a reminder to go back and do a `bin/auth lock` after | |||||
| // they make their desired changes. | |||||
| $is_locked = PhabricatorEnv::getEnvConfig('auth.lock-config'); | |||||
| if (!$is_locked && !$did_warn) { | |||||
| $message = pht( | |||||
| 'Your authentication provider configuration is unlocked. Once you '. | |||||
| 'finish setting up or modifying authentication, you should lock the '. | |||||
| 'configuration to prevent unauthorized changes.'. | |||||
| "\n\n". | |||||
| 'Leaving your authentication provider configuration unlocked '. | |||||
| 'increases the damage that a compromised administrator account can '. | |||||
| 'do to your install, by, for example, changing the authentication '. | |||||
| 'provider to a server they control and intercepting usernames and '. | |||||
| 'passwords.'. | |||||
| "\n\n". | |||||
| 'To prevent this attack, you should configure your authentication '. | |||||
| 'providers, and then lock the configuration by doing `%s` '. | |||||
| 'from the command line. This will prevent changing the '. | |||||
| 'authentication provider config without first doing `%s`.', | |||||
| 'bin/auth lock', | |||||
| 'bin/auth unlock'); | |||||
| $this | |||||
| ->newIssue('auth.config-unlocked') | |||||
| ->setShortName(pht('Auth Config Unlocked')) | |||||
| ->setName(pht('Authenticaton Provider Configuration Unlocked')) | |||||
| ->setMessage($message) | |||||
| ->addRelatedPhabricatorConfig('auth.lock-config') | |||||
| ->addCommand( | |||||
| hsprintf( | |||||
| '<tt>phabricator/ $</tt> ./bin/auth lock')); | |||||
| } | } | ||||
| } | } | ||||
| } | } | ||||
epriestley: I guess maybe only show this if we aren't show the other setup check (i.e., only show it if we… | |||||
Done Inline ActionsOh, good call. amckinley: Oh, good call. | |||||
I guess maybe only show this if we aren't show the other setup check (i.e., only show it if we have $configs) -- since they sort of follow naturally from one another ("No Configs" -> "Okay, you have configs, now lock them configs").
Maybe phrase this more directly toward a first-time administrator by leading with a specific call to action before motivating that action, e.g.: