recaptime.dev
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
1@title User Guide: Unlocking Objects
2@group userguide
3
4Explains how to access locked or invisible objects and accounts.
5
6Overview
7========
8
9Phorge tries to make it difficult for users to lock themselves out of
10things, but you can occasionally end up in situations where no one has access
11to an object that you need access to.
12
13For example, sometimes the only user who had edit permission for something has
14left the organization, or you configured a "Phase of the Moon" policy rule and
15the stars aren't currently aligned.
16
17You can use various CLI tools to unlock objects and accounts if you need to
18regain access.
19
20
21Unlocking Accounts
22==================
23
24If you need to regain access to an object, the easiest approach is usually to
25recover access to the account which owns it, then change the object policies
26to be more open using the web UI.
27
28For example, if an important task was accidentally locked so that only a user
29who is currently on vacation can edit it, you can log in as that user and
30change the edit policy to something more permissive.
31
32To regain access to an account:
33
34```
35$ ./bin/auth recover <username>
36```
37
38If the account you're recovering access to has MFA or other session prompts,
39use the `--force-full-session` to bypass them:
40
41```
42$ ./bin/auth recover <username> --force-full-session
43```
44
45In either case, the command will give you a link you a one-time link you can
46use to access the account from the web UI. From there, you can open up objects
47or change settings.
48
49
50Unlocking MFA
51=============
52
53You can completely strip MFA from a user account with:
54
55```
56$ ./bin/auth strip --user <username> ...
57```
58
59For detailed help on managing and stripping MFA, see the instructions in
60@{article:User Guide: Multi-Factor Authentication}
61
62
63Unlocking Objects
64=================
65
66If you aren't sure who owns an object, you can inspect the policies from the
67CLI:
68
69```
70$ ./bin/policy show <object>
71```
72
73To identify the object you want to examine, you can specify an object
74name (like `T123`) or a PHID as the `<object>` parameter.
75
76If examining the policy isn't helpful, or no user account has access to an
77object, you can then directly change object policies from the CLI:
78
79```
80$ ./bin/policy unlock <object> [--view ...] [--edit ...] [--owner ...]
81```
82
83Use the `--view` and `--edit` flags (and, for some objects, the `--owner`
84flag) to specify new policies for the object.
85
86For example, to make task `T123` editable by user `@alice`, run:
87
88```
89$ ./bin/policy unlock T123 --edit alice
90```
91
92Not every object has mutable view and edit policies, and not every object has
93an owner, so each flag only works on some types of objects.
94
95From here, you can log in to the web UI and change the relevant policies to
96whatever you want to set them to.
97
98
99No Enabled Users
100================
101
102If you accidentally disabled all administrator accounts, you can enable a
103disabled account from the CLI like this:
104
105```
106$ ./bin/user enable --user <username>
107```
108
109From here, recover the account or log in normally.
110
111
112No Administrators
113=================
114
115If you accidentally deleted all the administrator accounts, you can empower
116a user as an administrator from the CLI like this:
117
118```
119$ ./bin/user empower --user <username>
120```
121
122This will upgrade the user account from a regular account to an administrator
123account.