Path: blob/master/src/applications/auth/guidance/PhabricatorAuthProvidersGuidanceEngineExtension.php
12256 views
<?php12final class PhabricatorAuthProvidersGuidanceEngineExtension3extends PhabricatorGuidanceEngineExtension {45const GUIDANCEKEY = 'core.auth.providers';67public function canGenerateGuidance(PhabricatorGuidanceContext $context) {8return ($context instanceof PhabricatorAuthProvidersGuidanceContext);9}1011public function generateGuidance(PhabricatorGuidanceContext $context) {12$configs = id(new PhabricatorAuthProviderConfigQuery())13->setViewer(PhabricatorUser::getOmnipotentUser())14->withIsEnabled(true)15->execute();1617$allows_registration = false;18foreach ($configs as $config) {19$provider = $config->getProvider();20if ($provider->shouldAllowRegistration()) {21$allows_registration = true;22break;23}24}2526// If no provider allows registration, we don't need provide any warnings27// about registration being too open.28if (!$allows_registration) {29return array();30}3132$domains_key = 'auth.email-domains';33$domains_link = $this->renderConfigLink($domains_key);34$domains_value = PhabricatorEnv::getEnvConfig($domains_key);3536$approval_key = 'auth.require-approval';37$approval_link = $this->renderConfigLink($approval_key);38$approval_value = PhabricatorEnv::getEnvConfig($approval_key);3940$results = array();4142if ($domains_value) {43$message = pht(44'This server is configured with an email domain whitelist (in %s), so '.45'only users with a verified email address at one of these %s '.46'allowed domain(s) will be able to register an account: %s',47$domains_link,48phutil_count($domains_value),49phutil_tag('strong', array(), implode(', ', $domains_value)));5051$results[] = $this->newGuidance('core.auth.email-domains.on')52->setMessage($message);53} else {54$message = pht(55'Anyone who can browse to this this server will be able to '.56'register an account. To add email domain restrictions, configure '.57'%s.',58$domains_link);5960$results[] = $this->newGuidance('core.auth.email-domains.off')61->setMessage($message);62}6364if ($approval_value) {65$message = pht(66'Administrative approvals are enabled (in %s), so all new users must '.67'have their accounts approved by an administrator.',68$approval_link);6970$results[] = $this->newGuidance('core.auth.require-approval.on')71->setMessage($message);72} else {73$message = pht(74'Administrative approvals are disabled, so users who register will '.75'be able to use their accounts immediately. To enable approvals, '.76'configure %s.',77$approval_link);7879$results[] = $this->newGuidance('core.auth.require-approval.off')80->setMessage($message);81}8283if (!$domains_value && !$approval_value) {84$message = pht(85'You can safely ignore these warnings if the install itself has '.86'access controls (for example, it is deployed on a VPN) or if all of '.87'the configured providers have access controls (for example, they are '.88'all private LDAP or OAuth servers).');8990$results[] = $this->newWarning('core.auth.warning')91->setMessage($message);92}9394$locked_config_key = 'auth.lock-config';95$is_locked = PhabricatorEnv::getEnvConfig($locked_config_key);96if ($is_locked) {97$message = pht(98'Authentication provider configuration is locked, and can not be '.99'changed without being unlocked. See the configuration setting %s '.100'for details.',101phutil_tag(102'a',103array(104'href' => '/config/edit/'.$locked_config_key,105),106$locked_config_key));107108$results[] = $this->newWarning('auth.locked-config')109->setPriority(500)110->setMessage($message);111}112113return $results;114}115116private function renderConfigLink($key) {117return phutil_tag(118'a',119array(120'href' => '/config/edit/'.$key.'/',121'target' => '_blank',122),123$key);124}125126}127128129