public function processRequest()
     $request = $this->getRequest();
     $user = $request->getUser();
     if ($request->isFormPost()) {
         $log = PhabricatorUserLog::newLog($user, $user, PhabricatorUserLog::ACTION_LOGOUT);
         return id(new AphrontRedirectResponse())->setURI('/login/');
     return id(new AphrontRedirectResponse())->setURI('/');
 public function processRequest()
     $request = $this->getRequest();
     $user = $request->getUser();
     if ($request->isFormPost()) {
         $log = PhabricatorUserLog::newLog($user, $user, PhabricatorUserLog::ACTION_LOGOUT);
         // Destroy the user's session in the database so logout works even if
         // their cookies have some issues. We'll detect cookie issues when they
         // try to login again and tell them to clear any junk.
         $phsid = $request->getCookie('phsid');
         if ($phsid) {
         return id(new AphrontRedirectResponse())->setURI('/login/');
     return id(new AphrontRedirectResponse())->setURI('/');
 public function processRequest()
     $request = $this->getRequest();
     $user = $request->getUser();
     if ($request->isFormPost()) {
         $log = PhabricatorUserLog::newLog($user, $user, PhabricatorUserLog::ACTION_LOGOUT);
         // Destroy the user's session in the database so logout works even if
         // their cookies have some issues. We'll detect cookie issues when they
         // try to login again and tell them to clear any junk.
         $phsid = $request->getCookie('phsid');
         if ($phsid) {
         return id(new AphrontRedirectResponse())->setURI('/login/');
     if ($user->getPHID()) {
         $dialog = id(new AphrontDialogView())->setUser($user)->setTitle('Log out of Phabricator?')->appendChild('<p>Are you sure you want to log out?</p>')->addSubmitButton('Log Out')->addCancelButton('/');
         return id(new AphrontDialogResponse())->setDialog($dialog);
     return id(new AphrontRedirectResponse())->setURI('/');
 private function processRoleRequest(PhabricatorUser $user)
     $request = $this->getRequest();
     $admin = $request->getUser();
     $is_self = $user->getID() == $admin->getID();
     $errors = array();
     if ($request->isFormPost()) {
         $log_template = PhabricatorUserLog::newLog($admin, $user, null);
         $logs = array();
         if ($is_self) {
             $errors[] = "You can not edit your own role.";
         } else {
             $new_admin = (bool) $request->getBool('is_admin');
             $old_admin = (bool) $user->getIsAdmin();
             if ($new_admin != $old_admin) {
                 id(new PhabricatorUserEditor())->setActor($admin)->makeAdminUser($user, $new_admin);
             $new_disabled = (bool) $request->getBool('is_disabled');
             $old_disabled = (bool) $user->getIsDisabled();
             if ($new_disabled != $old_disabled) {
                 id(new PhabricatorUserEditor())->setActor($admin)->disableUser($user, $new_disabled);
         if (!$errors) {
             return id(new AphrontRedirectResponse())->setURI($request->getRequestURI()->alter('saved', 'true'));
     $error_view = null;
     if ($errors) {
         $error_view = id(new AphrontErrorView())->setTitle('Form Errors')->setErrors($errors);
     $form = id(new AphrontFormView())->setUser($admin)->setAction($request->getRequestURI()->alter('saved', null));
     if ($is_self) {
         $form->appendChild('<p class="aphront-form-instructions">NOTE: You can not edit your own ' . 'role.</p>');
     $form->appendChild($this->getRoleInstructions())->appendChild(id(new AphrontFormCheckboxControl())->addCheckbox('is_admin', 1, 'Administrator', $user->getIsAdmin())->setDisabled($is_self))->appendChild(id(new AphrontFormCheckboxControl())->addCheckbox('is_disabled', 1, 'Disabled', $user->getIsDisabled())->setDisabled($is_self))->appendChild(id(new AphrontFormCheckboxControl())->addCheckbox('is_agent', 1, 'System Agent (Bot/Script User)', $user->getIsSystemAgent())->setDisabled(true));
     if (!$is_self) {
         $form->appendChild(id(new AphrontFormSubmitControl())->setValue('Edit Role'));
     $panel = new AphrontPanelView();
     $panel->setHeader('Edit Role');
     return array($error_view, $panel);
Ejemplo n.º 5
  * @task email
 public function changePrimaryEmail(PhabricatorUser $user, PhabricatorUserEmail $email)
     $actor = $this->requireActor();
     if (!$user->getID()) {
         throw new Exception("User has not been created yet!");
     if (!$email->getID()) {
         throw new Exception("Email has not been created yet!");
     if ($email->getUserPHID() != $user->getPHID()) {
         throw new Exception("User does not own email!");
     if ($email->getIsPrimary()) {
         throw new Exception("Email is already primary!");
     if (!$email->getIsVerified()) {
         throw new Exception("Email is not verified!");
     $old_primary = $user->loadPrimaryEmail();
     if ($old_primary) {
     $log = PhabricatorUserLog::newLog($actor, $user, PhabricatorUserLog::ACTION_EMAIL_PRIMARY);
     $log->setOldValue($old_primary ? $old_primary->getAddress() : null);
     if ($old_primary) {
         $old_primary->sendOldPrimaryEmail($user, $email);
     return $this;
Ejemplo n.º 6
  * Issue a new session key to this user. Phabricator supports different
  * types of sessions (like "web" and "conduit") and each session type may
  * have multiple concurrent sessions (this allows a user to be logged in on
  * multiple browsers at the same time, for instance).
  * Note that this method is transport-agnostic and does not set cookies or
  * issue other types of tokens, it ONLY generates a new session key.
  * You can configure the maximum number of concurrent sessions for various
  * session types in the Phabricator configuration.
  * @param   string  Session type, like "web".
  * @return  string  Newly generated session key.
 public function establishSession($session_type)
     $conn_w = $this->establishConnection('w');
     if (strpos($session_type, '-') !== false) {
         throw new Exception("Session type must not contain hyphen ('-')!");
     // We allow multiple sessions of the same type, so when a caller requests
     // a new session of type "web", we give them the first available session in
     // "web-1", "web-2", ..., "web-N", up to some configurable limit. If none
     // of these sessions is available, we overwrite the oldest session and
     // reissue a new one in its place.
     $session_limit = 1;
     switch ($session_type) {
         case 'web':
             $session_limit = PhabricatorEnv::getEnvConfig('auth.sessions.web');
         case 'conduit':
             $session_limit = PhabricatorEnv::getEnvConfig('auth.sessions.conduit');
             throw new Exception("Unknown session type '{$session_type}'!");
     $session_limit = (int) $session_limit;
     if ($session_limit <= 0) {
         throw new Exception("Session limit for '{$session_type}' must be at least 1!");
     // Load all the currently active sessions.
     $sessions = queryfx_all($conn_w, 'SELECT type, sessionStart FROM %T WHERE userPHID = %s AND type LIKE %>', PhabricatorUser::SESSION_TABLE, $this->getPHID(), $session_type . '-');
     // Choose which 'type' we'll actually establish, i.e. what number we're
     // going to append to the basic session type. To do this, just check all
     // the numbers sequentially until we find an available session.
     $establish_type = null;
     $sessions = ipull($sessions, null, 'type');
     for ($ii = 1; $ii <= $session_limit; $ii++) {
         if (empty($sessions[$session_type . '-' . $ii])) {
             $establish_type = $session_type . '-' . $ii;
     // If we didn't find an available session, choose the oldest session and
     // overwrite it.
     if (!$establish_type) {
         $sessions = isort($sessions, 'sessionStart');
         $oldest = reset($sessions);
         $establish_type = $oldest['type'];
     // Consume entropy to generate a new session key, forestalling the eventual
     // heat death of the universe.
     $entropy = Filesystem::readRandomBytes(20);
     $session_key = sha1($entropy);
     // UNGUARDED WRITES: Logging-in users don't have CSRF stuff yet.
     $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
     queryfx($conn_w, 'INSERT INTO %T ' . '(userPHID, type, sessionKey, sessionStart)' . ' VALUES ' . '(%s, %s, %s, UNIX_TIMESTAMP()) ' . 'ON DUPLICATE KEY UPDATE ' . 'sessionKey = VALUES(sessionKey), ' . 'sessionStart = VALUES(sessionStart)', self::SESSION_TABLE, $this->getPHID(), $establish_type, $session_key);
     $log = PhabricatorUserLog::newLog($this, $this, PhabricatorUserLog::ACTION_LOGIN);
     $log->setDetails(array('session_type' => $session_type, 'session_issued' => $establish_type));
     return $session_key;
 public function processRequest()
     $request = $this->getRequest();
     if ($request->getUser()->getPHID()) {
         // Kick the user out if they're already logged in.
         return id(new AphrontRedirectResponse())->setURI('/');
     $next_uri = $this->getRequest()->getPath();
     $request->setCookie('next_uri', $next_uri);
     if ($next_uri == '/login/' && !$request->isFormPost()) {
         // The user went straight to /login/, so presumably they want to go
         // to the dashboard upon logging in. Because, you know, that's logical.
         // And people are logical. Sometimes... Fine, no they're not.
         // We check for POST here because getPath() would get reset to /login/.
         $request->setCookie('next_uri', '/');
     // Always use $request->getCookie('next_uri', '/') after the above.
     $password_auth = PhabricatorEnv::getEnvConfig('auth.password-auth-enabled');
     $forms = array();
     $error_view = null;
     if ($password_auth) {
         $error = false;
         $username_or_email = $request->getCookie('phusr');
         if ($request->isFormPost()) {
             $username_or_email = $request->getStr('username_or_email');
             $user = id(new PhabricatorUser())->loadOneWhere('username = %s', $username_or_email);
             if (!$user) {
                 $user = id(new PhabricatorUser())->loadOneWhere('email = %s', $username_or_email);
             $okay = false;
             if ($user) {
                 if ($user->comparePassword($request->getStr('password'))) {
                     $session_key = $user->establishSession('web');
                     $request->setCookie('phusr', $user->getUsername());
                     $request->setCookie('phsid', $session_key);
                     return id(new AphrontRedirectResponse())->setURI($request->getCookie('next_uri', '/'));
                 } else {
                     $log = PhabricatorUserLog::newLog(null, $user, PhabricatorUserLog::ACTION_LOGIN_FAILURE);
             if (!$okay) {
             $error = true;
         if ($error) {
             $error_view = new AphrontErrorView();
             $error_view->setTitle('Bad username/password.');
         $form = new AphrontFormView();
         $form->setUser($request->getUser())->setAction('/login/')->appendChild(id(new AphrontFormTextControl())->setLabel('Username/Email')->setName('username_or_email')->setValue($username_or_email))->appendChild(id(new AphrontFormPasswordControl())->setLabel('Password')->setName('password')->setCaption('<a href="/login/email/">' . 'Forgot your password? / Email Login</a>'))->appendChild(id(new AphrontFormSubmitControl())->setValue('Login'));
         //    $panel->setCreateButton('Register New Account', '/login/register/');
         $forms['Phabricator Login'] = $form;
     $providers = PhabricatorOAuthProvider::getAllProviders();
     foreach ($providers as $provider) {
         $enabled = $provider->isProviderEnabled();
         if (!$enabled) {
         $auth_uri = $provider->getAuthURI();
         $redirect_uri = $provider->getRedirectURI();
         $client_id = $provider->getClientID();
         $provider_name = $provider->getProviderName();
         $minimum_scope = $provider->getMinimumScope();
         $extra_auth = $provider->getExtraAuthParameters();
         // TODO: In theory we should use 'state' to prevent CSRF, but the total
         // effect of the CSRF attack is that an attacker can cause a user to login
         // to Phabricator if they're already logged into some OAuth provider. This
         // does not seem like the most severe threat in the world, and generating
         // CSRF for logged-out users is vaugely tricky.
         if ($provider->isProviderRegistrationEnabled()) {
             $title = "Login or Register with {$provider_name}";
             $body = "Login or register for Phabricator using your " . "{$provider_name} account.";
             $button = "Login or Register with {$provider_name}";
         } else {
             $title = "Login with {$provider_name}";
             $body = "Login to your existing Phabricator account using your " . "{$provider_name} account.<br /><br /><strong>You can not use " . "{$provider_name} to register a new account.</strong>";
             $button = "Login with {$provider_name}";
         $auth_form = new AphrontFormView();
         $auth_form->setAction($auth_uri)->addHiddenInput('client_id', $client_id)->addHiddenInput('redirect_uri', $redirect_uri)->addHiddenInput('scope', $minimum_scope);
         foreach ($extra_auth as $key => $value) {
             $auth_form->addHiddenInput($key, $value);
         $auth_form->setUser($request->getUser())->setMethod('GET')->appendChild('<p class="aphront-form-instructions">' . $body . '</p>')->appendChild(id(new AphrontFormSubmitControl())->setValue("{$button} »"));
         $forms[$title] = $auth_form;
     $panel = new AphrontPanelView();
     foreach ($forms as $name => $form) {
         $panel->appendChild('<h1>' . $name . '</h1>');
         $panel->appendChild('<br />');
     return $this->buildStandardPageResponse(array($error_view, $panel), array('title' => 'Login'));
Ejemplo n.º 8
  * Issue a new session key to this user. Phabricator supports different
  * types of sessions (like "web" and "conduit") and each session type may
  * have multiple concurrent sessions (this allows a user to be logged in on
  * multiple browsers at the same time, for instance).
  * Note that this method is transport-agnostic and does not set cookies or
  * issue other types of tokens, it ONLY generates a new session key.
  * You can configure the maximum number of concurrent sessions for various
  * session types in the Phabricator configuration.
  * @param   string  Session type, like "web".
  * @return  string  Newly generated session key.
 public function establishSession($session_type)
     $conn_w = $this->establishConnection('w');
     if (strpos($session_type, '-') !== false) {
         throw new Exception("Session type must not contain hyphen ('-')!");
     // We allow multiple sessions of the same type, so when a caller requests
     // a new session of type "web", we give them the first available session in
     // "web-1", "web-2", ..., "web-N", up to some configurable limit. If none
     // of these sessions is available, we overwrite the oldest session and
     // reissue a new one in its place.
     $session_limit = 1;
     switch ($session_type) {
         case 'web':
             $session_limit = PhabricatorEnv::getEnvConfig('auth.sessions.web');
         case 'conduit':
             $session_limit = PhabricatorEnv::getEnvConfig('auth.sessions.conduit');
             throw new Exception("Unknown session type '{$session_type}'!");
     $session_limit = (int) $session_limit;
     if ($session_limit <= 0) {
         throw new Exception("Session limit for '{$session_type}' must be at least 1!");
     // NOTE: Session establishment is sensitive to race conditions, as when
     // piping `arc` to `arc`:
     //   arc export ... | arc paste ...
     // To avoid this, we overwrite an old session only if it hasn't been
     // re-established since we read it.
     // Consume entropy to generate a new session key, forestalling the eventual
     // heat death of the universe.
     $session_key = Filesystem::readRandomCharacters(40);
     // Load all the currently active sessions.
     $sessions = queryfx_all($conn_w, 'SELECT type, sessionKey, sessionStart FROM %T
     WHERE userPHID = %s AND type LIKE %>', PhabricatorUser::SESSION_TABLE, $this->getPHID(), $session_type . '-');
     $sessions = ipull($sessions, null, 'type');
     $sessions = isort($sessions, 'sessionStart');
     $existing_sessions = array_keys($sessions);
     $retries = 0;
     while (true) {
         // Choose which 'type' we'll actually establish, i.e. what number we're
         // going to append to the basic session type. To do this, just check all
         // the numbers sequentially until we find an available session.
         $establish_type = null;
         for ($ii = 1; $ii <= $session_limit; $ii++) {
             $try_type = $session_type . '-' . $ii;
             if (!in_array($try_type, $existing_sessions)) {
                 $establish_type = $try_type;
                 $expect_key = $session_key;
                 $existing_sessions[] = $try_type;
                 // Ensure the row exists so we can issue an update below. We don't
                 // care if we race here or not.
                 queryfx($conn_w, 'INSERT IGNORE INTO %T (userPHID, type, sessionKey, sessionStart)
           VALUES (%s, %s, %s, 0)', self::SESSION_TABLE, $this->getPHID(), $establish_type, $session_key);
         // If we didn't find an available session, choose the oldest session and
         // overwrite it.
         if (!$establish_type) {
             $oldest = reset($sessions);
             $establish_type = $oldest['type'];
             $expect_key = $oldest['sessionKey'];
         // UNGUARDED WRITES: Logging-in users don't have CSRF stuff yet.
         $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
         // This is so that we'll only overwrite the session if it hasn't been
         // refreshed since we read it. If it has, the session key will be
         // different and we know we're racing other processes. Whichever one
         // won gets the session, we go back and try again.
         queryfx($conn_w, 'UPDATE %T SET sessionKey = %s, sessionStart = UNIX_TIMESTAMP()
         WHERE userPHID = %s AND type = %s AND sessionKey = %s', self::SESSION_TABLE, $session_key, $this->getPHID(), $establish_type, $expect_key);
         if ($conn_w->getAffectedRows()) {
             // The update worked, so the session is valid.
         } else {
             // We know this just got grabbed, so don't try it again.
         if (++$retries > $session_limit) {
             throw new Exception("Failed to establish a session!");
     $log = PhabricatorUserLog::newLog($this, $this, PhabricatorUserLog::ACTION_LOGIN);
     $log->setDetails(array('session_type' => $session_type, 'session_issued' => $establish_type));
     return $session_key;
 private function processRoleRequest(PhabricatorUser $user)
     $request = $this->getRequest();
     $admin = $request->getUser();
     $is_self = $user->getID() == $admin->getID();
     $errors = array();
     if ($request->isFormPost()) {
         $log_template = PhabricatorUserLog::newLog($admin, $user, null);
         $logs = array();
         if ($is_self) {
             $errors[] = "You can not edit your own role.";
         } else {
             $new_admin = (bool) $request->getBool('is_admin');
             $old_admin = (bool) $user->getIsAdmin();
             if ($new_admin != $old_admin) {
                 $log = clone $log_template;
                 $logs[] = $log;
             $new_disabled = (bool) $request->getBool('is_disabled');
             $old_disabled = (bool) $user->getIsDisabled();
             if ($new_disabled != $old_disabled) {
                 $log = clone $log_template;
                 $logs[] = $log;
         if (!$errors) {
             foreach ($logs as $log) {
             return id(new AphrontRedirectResponse())->setURI($request->getRequestURI()->alter('saved', 'true'));
     $error_view = null;
     if ($errors) {
         $error_view = id(new AphrontErrorView())->setTitle('Form Errors')->setErrors($errors);
     $form = id(new AphrontFormView())->setUser($admin)->setAction($request->getRequestURI()->alter('saved', null));
     if ($is_self) {
         $form->appendChild('<p class="aphront-form-instructions">NOTE: You can not edit your own ' . 'role.</p>');
     $form->appendChild($this->getRoleInstructions())->appendChild(id(new AphrontFormCheckboxControl())->addCheckbox('is_admin', 1, 'Admin: wields absolute power.', $user->getIsAdmin())->setDisabled($is_self))->appendChild(id(new AphrontFormCheckboxControl())->addCheckbox('is_disabled', 1, 'Disabled: can not login.', $user->getIsDisabled())->setDisabled($is_self));
     if (!$is_self) {
         $form->appendChild(id(new AphrontFormSubmitControl())->setValue('Edit Role'));
     $panel = new AphrontPanelView();
     $panel->setHeader('Edit Role');
     return array($error_view, $panel);
 public function processRequest()
     $request = $this->getRequest();
     if ($request->getUser()->getPHID()) {
         // Kick the user out if they're already logged in.
         return id(new AphrontRedirectResponse())->setURI('/');
     if ($request->isConduit()) {
         // A common source of errors in Conduit client configuration is getting
         // the request path wrong. The client will end up here, so make some
         // effort to give them a comprehensible error message.
         $request_path = $this->getRequest()->getPath();
         $conduit_path = '/api/<method>';
         $example_path = '/api/';
         $message = "ERROR: You are making a Conduit API request to '{$request_path}', " . "but the correct HTTP request path to use in order to access a " . "Conduit method is '{$conduit_path}' (for example, " . "'{$example_path}'). Check your configuration.";
         return id(new AphrontPlainTextResponse())->setContent($message);
     $error_view = null;
     if ($request->getCookie('phusr') && $request->getCookie('phsid')) {
         // The session cookie is invalid, so clear it.
         $error_view = new AphrontErrorView();
         $error_view->setTitle('Invalid Session');
         $error_view->setErrors(array("Your login session is invalid. Try logging in again. If that " . "doesn't work, clear your browser cookies."));
     $next_uri = $this->getRequest()->getPath();
     if ($next_uri == '/login/') {
         $next_uri = '/';
     if (!$request->isFormPost()) {
         $request->setCookie('next_uri', $next_uri);
     $password_auth = PhabricatorEnv::getEnvConfig('auth.password-auth-enabled');
     $forms = array();
     $errors = array();
     if ($password_auth) {
         $require_captcha = false;
         $e_captcha = true;
         $username_or_email = $request->getCookie('phusr');
         if ($request->isFormPost()) {
             if (AphrontFormRecaptchaControl::isRecaptchaEnabled()) {
                 $failed_attempts = PhabricatorUserLog::loadRecentEventsFromThisIP(PhabricatorUserLog::ACTION_LOGIN_FAILURE, 60 * 15);
                 if (count($failed_attempts) > 5) {
                     $require_captcha = true;
                     if (!AphrontFormRecaptchaControl::processCaptcha($request)) {
                         if (AphrontFormRecaptchaControl::hasCaptchaResponse($request)) {
                             $e_captcha = 'Invalid';
                             $errors[] = 'CAPTCHA was not entered correctly.';
                         } else {
                             $e_captcha = 'Required';
                             $errors[] = 'Too many login failures recently. You must ' . 'submit a CAPTCHA with your login request.';
             $username_or_email = $request->getStr('username_or_email');
             $user = id(new PhabricatorUser())->loadOneWhere('username = %s', $username_or_email);
             if (!$user) {
                 $user = id(new PhabricatorUser())->loadOneWhere('email = %s', $username_or_email);
             if (!$errors) {
                 // Perform username/password tests only if we didn't get rate limited
                 // by the CAPTCHA.
                 if (!$user || !$user->comparePassword($request->getStr('password'))) {
                     $errors[] = 'Bad username/password.';
             if (!$errors) {
                 $session_key = $user->establishSession('web');
                 $request->setCookie('phusr', $user->getUsername());
                 $request->setCookie('phsid', $session_key);
                 $uri = new PhutilURI('/login/validate/');
                 $uri->setQueryParams(array('phusr' => $user->getUsername()));
                 return id(new AphrontRedirectResponse())->setURI((string) $uri);
             } else {
                 $log = PhabricatorUserLog::newLog(null, $user, PhabricatorUserLog::ACTION_LOGIN_FAILURE);
         if ($errors) {
             $error_view = new AphrontErrorView();
             $error_view->setTitle('Login Failed');
         $form = new AphrontFormView();
         $form->setUser($request->getUser())->setAction('/login/')->appendChild(id(new AphrontFormTextControl())->setLabel('Username/Email')->setName('username_or_email')->setValue($username_or_email))->appendChild(id(new AphrontFormPasswordControl())->setLabel('Password')->setName('password')->setCaption('<a href="/login/email/">' . 'Forgot your password? / Email Login</a>'));
         if ($require_captcha) {
             $form->appendChild(id(new AphrontFormRecaptchaControl())->setError($e_captcha));
         $form->appendChild(id(new AphrontFormSubmitControl())->setValue('Login'));
         //    $panel->setCreateButton('Register New Account', '/login/register/');
         $forms['Phabricator Login'] = $form;
     $providers = PhabricatorOAuthProvider::getAllProviders();
     foreach ($providers as $provider) {
         $enabled = $provider->isProviderEnabled();
         if (!$enabled) {
         $auth_uri = $provider->getAuthURI();
         $redirect_uri = $provider->getRedirectURI();
         $client_id = $provider->getClientID();
         $provider_name = $provider->getProviderName();
         $minimum_scope = $provider->getMinimumScope();
         $extra_auth = $provider->getExtraAuthParameters();
         // TODO: In theory we should use 'state' to prevent CSRF, but the total
         // effect of the CSRF attack is that an attacker can cause a user to login
         // to Phabricator if they're already logged into some OAuth provider. This
         // does not seem like the most severe threat in the world, and generating
         // CSRF for logged-out users is vaugely tricky.
         if ($provider->isProviderRegistrationEnabled()) {
             $title = "Login or Register with {$provider_name}";
             $body = 'Login or register for Phabricator using your ' . phutil_escape_html($provider_name) . ' account.';
             $button = "Login or Register with {$provider_name}";
         } else {
             $title = "Login with {$provider_name}";
             $body = 'Login to your existing Phabricator account using your ' . phutil_escape_html($provider_name) . ' account.<br /><br />' . '<strong>You can not use ' . phutil_escape_html($provider_name) . ' to register a new ' . 'account.</strong>';
             $button = "Login with {$provider_name}";
         $auth_form = new AphrontFormView();
         $auth_form->setAction($auth_uri)->addHiddenInput('client_id', $client_id)->addHiddenInput('redirect_uri', $redirect_uri)->addHiddenInput('scope', $minimum_scope);
         foreach ($extra_auth as $key => $value) {
             $auth_form->addHiddenInput($key, $value);
         $auth_form->setUser($request->getUser())->setMethod('GET')->appendChild('<p class="aphront-form-instructions">' . $body . '</p>')->appendChild(id(new AphrontFormSubmitControl())->setValue("{$button} »"));
         $forms[$title] = $auth_form;
     $panel = new AphrontPanelView();
     foreach ($forms as $name => $form) {
         $panel->appendChild('<h1>' . $name . '</h1>');
         $panel->appendChild('<br />');
     return $this->buildStandardPageResponse(array($error_view, $panel), array('title' => 'Login'));