No OneTemporary
Actions

Size

14 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/src/applications/auth/controller/PhabricatorAuthStartController.php b/src/applications/auth/controller/PhabricatorAuthStartController.php
	index 3dc8c61a51..29fa7e0b9f 100644
	--- a/src/applications/auth/controller/PhabricatorAuthStartController.php
	+++ b/src/applications/auth/controller/PhabricatorAuthStartController.php
	@@ -1,332 +1,332 @@
	<?php

	final class PhabricatorAuthStartController
	extends PhabricatorAuthController {

	public function shouldRequireLogin() {
	return false;
	}

	public function handleRequest(AphrontRequest $request) {
	$viewer = $request->getUser();

	if ($viewer->isLoggedIn()) {
	// Kick the user home if they are already logged in.
	return id(new AphrontRedirectResponse())->setURI('/');
	}

	if ($request->isAjax()) {
	return $this->processAjaxRequest();
	}

	if ($request->isConduit()) {
	return $this->processConduitRequest();
	}

	// If the user gets this far, they aren't logged in, so if they have a
	// user session token we can conclude that it's invalid: if it was valid,
	// they'd have been logged in above and never made it here. Try to clear
	// it and warn the user they may need to nuke their cookies.

	$session_token = $request->getCookie(PhabricatorCookies::COOKIE_SESSION);
	$did_clear = $request->getStr('cleared');

	if (strlen($session_token)) {
	$kind = PhabricatorAuthSessionEngine::getSessionKindFromToken(
	$session_token);
	switch ($kind) {
	case PhabricatorAuthSessionEngine::KIND_ANONYMOUS:
	// If this is an anonymous session. It's expected that they won't
	// be logged in, so we can just continue.
	break;
	default:
	// The session cookie is invalid, so try to clear it.
	$request->clearCookie(PhabricatorCookies::COOKIE_USERNAME);
	$request->clearCookie(PhabricatorCookies::COOKIE_SESSION);

	// We've previously tried to clear the cookie but we ended up back
	// here, so it didn't work. Hard fatal instead of trying again.
	if ($did_clear) {
	return $this->renderError(
	pht(
	'Your login session is invalid, and clearing the session '.
	'cookie was unsuccessful. Try clearing your browser cookies.'));
	}

	$redirect_uri = $request->getRequestURI();
	$redirect_uri->setQueryParam('cleared', 1);
	return id(new AphrontRedirectResponse())->setURI($redirect_uri);
	}
	}

	// If we just cleared the session cookie and it worked, clean up after
	// ourselves by redirecting to get rid of the "cleared" parameter. The
	// the workflow will continue normally.
	if ($did_clear) {
	$redirect_uri = $request->getRequestURI();
	$redirect_uri->setQueryParam('cleared', null);
	return id(new AphrontRedirectResponse())->setURI($redirect_uri);
	}

	$providers = PhabricatorAuthProvider::getAllEnabledProviders();
	foreach ($providers as $key => $provider) {
	if (!$provider->shouldAllowLogin()) {
	unset($providers[$key]);
	}
	}

	if (!$providers) {
	if ($this->isFirstTimeSetup()) {
	// If this is a fresh install, let the user register their admin
	// account.
	return id(new AphrontRedirectResponse())
	->setURI($this->getApplicationURI('/register/'));
	}

	return $this->renderError(
	pht(
	'This Phabricator install is not configured with any enabled '.
	'authentication providers which can be used to log in. If you '.
	'have accidentally locked yourself out by disabling all providers, '.
	- 'you can use `%s` to recover access to an administrative account.',
	+ 'you can use `%s` to recover access to an account.',
	'phabricator/bin/auth recover <username>'));
	}

	$next_uri = $request->getStr('next');
	if (!strlen($next_uri)) {
	if ($this->getDelegatingController()) {
	// Only set a next URI from the request path if this controller was
	// delegated to, which happens when a user tries to view a page which
	// requires them to login.

	// If this controller handled the request directly, we're on the main
	// login page, and never want to redirect the user back here after they
	// login.
	$next_uri = (string)$this->getRequest()->getRequestURI();
	}
	}

	if (!$request->isFormPost()) {
	if (strlen($next_uri)) {
	PhabricatorCookies::setNextURICookie($request, $next_uri);
	}
	PhabricatorCookies::setClientIDCookie($request);
	}

	$auto_response = $this->tryAutoLogin($providers);
	if ($auto_response) {
	return $auto_response;
	}

	$invite = $this->loadInvite();

	$not_buttons = array();
	$are_buttons = array();
	$providers = msort($providers, 'getLoginOrder');
	foreach ($providers as $provider) {
	if ($invite) {
	$form = $provider->buildInviteForm($this);
	} else {
	$form = $provider->buildLoginForm($this);
	}
	if ($provider->isLoginFormAButton()) {
	$are_buttons[] = $form;
	} else {
	$not_buttons[] = $form;
	}
	}

	$out = array();
	$out[] = $not_buttons;
	if ($are_buttons) {
	require_celerity_resource('auth-css');

	foreach ($are_buttons as $key => $button) {
	$are_buttons[$key] = phutil_tag(
	'div',
	array(
	'class' => 'phabricator-login-button mmb',
	),
	$button);
	}

	// If we only have one button, add a second pretend button so that we
	// always have two columns. This makes it easier to get the alignments
	// looking reasonable.
	if (count($are_buttons) == 1) {
	$are_buttons[] = null;
	}

	$button_columns = id(new AphrontMultiColumnView())
	->setFluidLayout(true);
	$are_buttons = array_chunk($are_buttons, ceil(count($are_buttons) / 2));
	foreach ($are_buttons as $column) {
	$button_columns->addColumn($column);
	}

	$out[] = phutil_tag(
	'div',
	array(
	'class' => 'phabricator-login-buttons',
	),
	$button_columns);
	}

	$handlers = PhabricatorAuthLoginHandler::getAllHandlers();

	$delegating_controller = $this->getDelegatingController();

	$header = array();
	foreach ($handlers as $handler) {
	$handler = clone $handler;

	$handler->setRequest($request);

	if ($delegating_controller) {
	$handler->setDelegatingController($delegating_controller);
	}

	$header[] = $handler->getAuthLoginHeaderContent();
	}

	$invite_message = null;
	if ($invite) {
	$invite_message = $this->renderInviteHeader($invite);
	}

	$custom_message = $this->newCustomStartMessage();

	$crumbs = $this->buildApplicationCrumbs();
	$crumbs->addTextCrumb(pht('Login'));
	$crumbs->setBorder(true);

	$title = pht('Login');
	$view = array(
	$header,
	$invite_message,
	$custom_message,
	$out,
	);

	return $this->newPage()
	->setTitle($title)
	->setCrumbs($crumbs)
	->appendChild($view);
	}


	private function processAjaxRequest() {
	$request = $this->getRequest();
	$viewer = $request->getUser();

	// We end up here if the user clicks a workflow link that they need to
	// login to use. We give them a dialog saying "You need to login...".

	if ($request->isDialogFormPost()) {
	return id(new AphrontRedirectResponse())->setURI(
	$request->getRequestURI());
	}

	// Often, users end up here by clicking a disabled action link in the UI
	// (for example, they might click "Edit Subtasks" on a Maniphest task
	// page). After they log in we want to send them back to that main object
	// page if we can, since it's confusing to end up on a standalone page with
	// only a dialog (particularly if that dialog is another error,
	// like a policy exception).

	$via_header = AphrontRequest::getViaHeaderName();
	$via_uri = AphrontRequest::getHTTPHeader($via_header);
	if (strlen($via_uri)) {
	PhabricatorCookies::setNextURICookie($request, $via_uri, $force = true);
	}

	return $this->newDialog()
	->setTitle(pht('Login Required'))
	->appendParagraph(pht('You must log in to take this action.'))
	->addSubmitButton(pht('Log In'))
	->addCancelButton('/');
	}


	private function processConduitRequest() {
	$request = $this->getRequest();
	$viewer = $request->getUser();

	// A common source of errors in Conduit client configuration is getting
	// the request path wrong. The client will end up here, so make some
	// effort to give them a comprehensible error message.

	$request_path = $this->getRequest()->getPath();
	$conduit_path = '/api/<method>';
	$example_path = '/api/conduit.ping';

	$message = pht(
	'ERROR: You are making a Conduit API request to "%s", but the correct '.
	'HTTP request path to use in order to access a COnduit method is "%s" '.
	'(for example, "%s"). Check your configuration.',
	$request_path,
	$conduit_path,
	$example_path);

	return id(new AphrontPlainTextResponse())->setContent($message);
	}

	protected function renderError($message) {
	return $this->renderErrorPage(
	pht('Authentication Failure'),
	array($message));
	}

	private function tryAutoLogin(array $providers) {
	$request = $this->getRequest();

	// If the user just logged out, don't immediately log them in again.
	if ($request->getURIData('loggedout')) {
	return null;
	}

	// If we have more than one provider, we can't autologin because we
	// don't know which one the user wants.
	if (count($providers) != 1) {
	return null;
	}

	$provider = head($providers);
	if (!$provider->supportsAutoLogin()) {
	return null;
	}

	$config = $provider->getProviderConfig();
	if (!$config->getShouldAutoLogin()) {
	return null;
	}

	$auto_uri = $provider->getAutoLoginURI($request);

	return id(new AphrontRedirectResponse())
	->setIsExternal(true)
	->setURI($auto_uri);
	}

	private function newCustomStartMessage() {
	$viewer = $this->getViewer();

	$text = PhabricatorAuthMessage::loadMessageText(
	$viewer,
	PhabricatorAuthLoginMessageType::MESSAGEKEY);

	if (!strlen($text)) {
	return null;
	}

	$remarkup_view = new PHUIRemarkupView($viewer, $text);

	return phutil_tag(
	'div',
	array(
	'class' => 'auth-custom-message',
	),
	$remarkup_view);
	}

	}
	diff --git a/src/docs/user/configuration/configuring_accounts_and_registration.diviner b/src/docs/user/configuration/configuring_accounts_and_registration.diviner
	index 8a4c59b193..05d11b11f3 100644
	--- a/src/docs/user/configuration/configuring_accounts_and_registration.diviner
	+++ b/src/docs/user/configuration/configuring_accounts_and_registration.diviner
	@@ -1,69 +1,67 @@
	@title Configuring Accounts and Registration
	@group config

	Describes how to configure user access to Phabricator.

	= Overview =

	Phabricator supports a number of login systems. You can enable or disable these
	systems to configure who can register for and access your install, and how users
	with existing accounts can login.

	Methods of logging in are called Authentication Providers. For example,
	there is a "Username/Password" authentication provider available, which allows
	users to log in with a traditional username and password. Other providers
	support logging in with other credentials. For example:

	- - Username/Password: Users use a username and password to log in or
	- register.
	- LDAP: Users use LDAP credentials to log in or register.
	- OAuth: Users use accounts on a supported OAuth2 provider (like
	GitHub, Facebook, or Google) to log in or register.
	- Other Providers: More providers are available, and Phabricator
	can be extended with custom providers. See the "Auth" application for
	a list of available providers.

	By default, no providers are enabled. You must use the "Auth" application to
	add one or more providers after you complete the installation process.

	After you add a provider, you can link it to existing accounts (for example,
	associate an existing Phabricator account with a GitHub OAuth account) or users
	can use it to register new accounts (assuming you enable these options).

	-= Recovering Administrator Accounts =
	+= Recovering Inaccessible Accounts =

	-If you accidentally lock yourself out of Phabricator, you can use the `bin/auth`
	-script to recover access to an administrator account. To recover access, run:
	+If you accidentally lock yourself out of Phabricator (for example, by disabling
	+all authentication providers), you can use the `bin/auth`
	+script to recover access to an account. To recover access, run:

	phabricator/ $ ./bin/auth recover <username>

	-...where `<username>` is the admin account username you want to recover access
	-to. This will give you a link which will log you in as the specified
	-administrative user.
	+...where `<username>` is the account username you want to recover access
	+to. This will generate a link which will log you in as the specified user.

	= Managing Accounts with the Web Console =

	To manage accounts from the web, login as an administrator account and go to
	`/people/` or click "People" on the homepage. Provided you're an admin,
	you'll see options to create or edit accounts.

	= Manually Creating New Accounts =

	There are two ways to manually create new accounts: via the web UI using
	the "People" application (this is easiest), or via the CLI using the
	`accountadmin` binary (this has a few more options).

	To use the CLI script, run:

	phabricator/ $ ./bin/accountadmin

	-Some options (like setting passwords and changing certain account flags) are
	-only available from the CLI. You can also use this script to make a user
	-an administrator (if you accidentally remove your admin flag) or create an
	+Some options (like changing certain account flags) are only available from
	+the CLI. You can also use this script to make a user
	+an administrator (if you accidentally remove your admin flag) or to create an
	administrative account.

	= Next Steps =

	Continue by:

	- returning to the @{article:Configuration Guide}.

File Metadata

Mime Type: text/x-diff
Expires: Thu, Aug 14, 5:23 AM (2 d, 16 h ago)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 200582
Default Alt Text: (14 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions