Page MenuHomePhabricator

Prevent users from editing, disabling, or swapping their primary contact number while they have SMS MFA
ClosedPublic

Authored by epriestley on Jan 23 2019, 7:12 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 29, 4:16 AM
Unknown Object (File)
Tue, Nov 26, 6:20 PM
Unknown Object (File)
Mon, Nov 25, 7:52 AM
Unknown Object (File)
Mon, Nov 25, 6:26 AM
Unknown Object (File)
Mon, Nov 25, 5:48 AM
Unknown Object (File)
Sat, Nov 9, 4:52 AM
Unknown Object (File)
Sat, Nov 9, 4:15 AM
Unknown Object (File)
Sat, Nov 9, 4:12 AM
Subscribers
None

Details

Summary

Depends on D20022. Ref T13222. Since you can easily lock yourself out of your account by swapping to a bad number, prevent contact number edits while "contact number" MFA (today, always SMS) is enabled.

(Another approach would be to bind factors to specific contact numbers, and then prevent that number from being edited or disabled while SMS MFA was attached to it. However, I think that's a bit more complicated and a little more unwieldy, and ends up in about the same place as this. I'd consider it more strongly in the future if we had like 20 users say "I have 9 phones" but I doubt this is a real use case.)

Test Plan
  • With SMS MFA, tried to edit my primary contact number, disable it, and promote another number to become primary. Got a sensible error message in all cases.
  • After removing SMS MFA, did all that stuff with no issues.

Diff Detail

Repository
rP Phabricator
Branch
mfa18
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 21648
Build 29523: Run Core Tests
Build 29522: arc lint + arc unit