src/applications/auth/guidance/PhabricatorAuthProvidersGuidanceEngineExtension.php

   1 <?php
   2
   3 final class PhabricatorAuthProvidersGuidanceEngineExtension
   4   extends PhabricatorGuidanceEngineExtension {
   5
   6   const GUIDANCEKEY = 'core.auth.providers';
   7
   8   public function canGenerateGuidance(PhabricatorGuidanceContext $context) {
   9     return ($context instanceof PhabricatorAuthProvidersGuidanceContext);
  10   }
  11
  12   public function generateGuidance(PhabricatorGuidanceContext $context) {
  13     $configs = id(new PhabricatorAuthProviderConfigQuery())
  14       ->setViewer(PhabricatorUser::getOmnipotentUser())
  15       ->withIsEnabled(true)
  16       ->execute();
  17
  18     $allows_registration = false;
  19     foreach ($configs as $config) {
  20       $provider = $config->getProvider();
  21       if ($provider->shouldAllowRegistration()) {
  22         $allows_registration = true;
  23         break;
  24       }
  25     }
  26
  27     // If no provider allows registration, we don't need provide any warnings
  28     // about registration being too open.
  29     if (!$allows_registration) {
  30       return array();
  31     }
  32
  33     $domains_key = 'auth.email-domains';
  34     $domains_link = $this->renderConfigLink($domains_key);
  35     $domains_value = PhabricatorEnv::getEnvConfig($domains_key);
  36
  37     $approval_key = 'auth.require-approval';
  38     $approval_link = $this->renderConfigLink($approval_key);
  39     $approval_value = PhabricatorEnv::getEnvConfig($approval_key);
  40
  41     $results = array();
  42
  43     if ($domains_value) {
  44       $message = pht(
  45         'This server is configured with an email domain whitelist (in %s), so '.
  46         'only users with a verified email address at one of these %s '.
  47         'allowed domain(s) will be able to register an account: %s',
  48         $domains_link,
  49         phutil_count($domains_value),
  50         phutil_tag('strong', array(), implode(', ', $domains_value)));
  51
  52       $results[] = $this->newGuidance('core.auth.email-domains.on')
  53         ->setMessage($message);
  54     } else {
  55       $message = pht(
  56         'Anyone who can browse to this this server will be able to '.
  57         'register an account. To add email domain restrictions, configure '.
  58         '%s.',
  59         $domains_link);
  60
  61       $results[] = $this->newGuidance('core.auth.email-domains.off')
  62         ->setMessage($message);
  63     }
  64
  65     if ($approval_value) {
  66       $message = pht(
  67         'Administrative approvals are enabled (in %s), so all new users must '.
  68         'have their accounts approved by an administrator.',
  69         $approval_link);
  70
  71       $results[] = $this->newGuidance('core.auth.require-approval.on')
  72         ->setMessage($message);
  73     } else {
  74       $message = pht(
  75         'Administrative approvals are disabled, so users who register will '.
  76         'be able to use their accounts immediately. To enable approvals, '.
  77         'configure %s.',
  78         $approval_link);
  79
  80       $results[] = $this->newGuidance('core.auth.require-approval.off')
  81         ->setMessage($message);
  82     }
  83
  84     if (!$domains_value && !$approval_value) {
  85       $message = pht(
  86         'You can safely ignore these warnings if the install itself has '.
  87         'access controls (for example, it is deployed on a VPN) or if all of '.
  88         'the configured providers have access controls (for example, they are '.
  89         'all private LDAP or OAuth servers).');
  90
  91       $results[] = $this->newWarning('core.auth.warning')
  92         ->setMessage($message);
  93     }
  94
  95     $locked_config_key = 'auth.lock-config';
  96     $is_locked = PhabricatorEnv::getEnvConfig($locked_config_key);
  97     if ($is_locked) {
  98       $message = pht(
  99         'Authentication provider configuration is locked, and can not be '.
 100         'changed without being unlocked. See the configuration setting %s '.
 101         'for details.',
 102         phutil_tag(
 103           'a',
 104           array(
 105             'href' => '/config/edit/'.$locked_config_key,
 106           ),
 107           $locked_config_key));
 108
 109       $results[] = $this->newWarning('auth.locked-config')
 110         ->setPriority(500)
 111         ->setMessage($message);
 112     }
 113
 114     return $results;
 115   }
 116
 117   private function renderConfigLink($key) {
 118     return phutil_tag(
 119       'a',
 120       array(
 121         'href' => '/config/edit/'.$key.'/',
 122         'target' => '_blank',
 123       ),
 124       $key);
 125   }
 126
 127 }