Page MenuHomePhabricator
Differential D14325

Prevent mailing lists from being bin/auth recover'd
ClosedPublic
Actions

Authored by epriestley on Oct 24 2015, 1:35 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Apr 11, 10:41 AM
Unknown Object (File)
Thu, Apr 11, 8:49 AM
Unknown Object (File)
Sat, Apr 6, 8:34 AM
Unknown Object (File)
Mar 20 2024, 6:15 PM
Unknown Object (File)
Mar 20 2024, 6:07 PM
Unknown Object (File)
Mar 17 2024, 5:41 PM
Unknown Object (File)
Mar 10 2024, 1:37 PM
Unknown Object (File)
Mar 4 2024, 6:42 PM
View All Files
Subscribers
None

Details

Reviewers
chad
Maniphest Tasks
T9610: You can `bin/auth recover` a mailing list administrator, and get a confusing error when you do
Commits
Restricted Diffusion Commit
rP59c931710100: Prevent mailing lists from being bin/auth recover'd
Summary

Fixes T9610.

  • We currently permit you to bin/auth recover users who can not establish web sessions (but this will never work). Prevent this.
  • We don't emit a tailored error if you follow one of these links. Tailor the error.

Even with the first fix, you can still hit the second case by doing something like:

  • Recover a normal user.
  • Make them a mailing list in the DB.
  • Follow the recovery link.

The original issue here was an install that did a large migration and set all users to be mailing lists. Normal installs should never encounter this, but it's not wholly unreasonable to have daemons or mailing lists with the administrator flag.

Test Plan
  • Tried to follow a recovery link for a mailing list.
  • Tried to generate a recovery link for a mailing list.
  • Generated and followed a recovery link for a normal administrator.

Screen Shot 2015-10-24 at 6.29.16 AM.png (797×1 px, 134 KB)

epriestley@orbital ~/dev/phabricator $ ./bin/auth recover tortise-list
Usage Exception: This account ("tortise-list") can not establish web sessions, so it is not possible to generate a functional recovery link. Special accounts like daemons and mailing lists can not log in via the web UI.

Diff Detail

Repository
rP Phabricator
Branch
sauth1
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 8390
Build 9635: Run Core Tests
Build 9634: arc lint + arc unit

Event Timeline

epriestley updated this revision to Diff 34578.Oct 24 2015, 1:35 PM
epriestley retitled this revision from to Prevent mailing lists from being bin/auth recover'd.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
epriestley added a task: T9610: You can `bin/auth recover` a mailing list administrator, and get a confusing error when you do.
chad accepted this revision.Oct 25 2015, 1:05 AM
chad edited edge metadata.
This revision is now accepted and ready to land.Oct 25 2015, 1:05 AM
Closed by commit rP59c931710100: Prevent mailing lists from being bin/auth recover'd (authored by epriestley, committed by epriestley). · Explain WhyOct 25 2015, 1:13 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
controller/
16 lines
management/
10 lines

Diff 34578

View Options

src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php

Loading...
View Options

src/applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php

Loading...
Phabricator · Built by Phacility