"Do nothing" does nothing. It's mostly for working with the "Other Herald Rule" conditions.

Do you remember what the "Do nothing" Herald rule is about?

Uhm. My root problem is: sometime I need to talk to my boss with a stand-up comedy monologue like this:

Hi @speck are you still a Mercurial user? Does arc browse <file> work for you? Just for my curiosity

yeah, typo. I'll fix it again...

ok, now I understand.

Thanks :) Silly question since I'm not native English: is there a repetition in "creating revision from revision from raw diff"?

I agree and that is why the general idea is: still showing your Diffs, but, showing the selected one (even if it's not yours). So it's just a +1 entry

I suspect just listing all open revisions would make using this page even worse - users will have to wade through a giant list.

In an early version I did not consider "do it only in create mode". Now I think the patch D25338 does what we imagine.

Here the follow-up:

Can I just propose a veeery small fix for this (it's one line, after all), and then create another one to modernize the workflow with that component? I'm not sure I will be able to do not destroy everything if I immediately try the modernization ihih

consider just replacing the selector with a modern AphrontFormTokenizerControl - that smart search features.

\o/

I was honestly not aware of that. Interesting. Thanks!

DO you know about arc browse?

Yeah but I think the "Normal" priority is better than "Low" since we are hackers hating white screens and so that is quite important ihih

In discussion over a support ticket one of the potential options that was discussed was having a "An MFA challenge is about to appear, click to continue" prompt in the workflow as a means to prepare users to get their phones/devices ready so they can respond within the 30 seconds. Right now since MFA is opt-in per each user instead of required per auth portal - the current login workflow will immediately prompt you for MFA after successful login, which might surprise users who fumble to get the TOTP code out (it's happened to me).

The comments in https://secure.phabricator.com/T9770 discuss the "spyglass" attack and how this behavior is meant to be more secure.

This is just a frontend change, after all. Adding UX

I think the current revision is a good compromise. The current behavior makes no sense from the perspective of modern UX patterns:

Thank you speck since you helped me a lot in clarifying the situation.

Ah yeah please share that :) Premising I agree that losing the current token is a problem that can be fixed with "hey, prepare your token, 3, 2, 1, go!"

I had discussed this with Evan previously and he gave a great explanation for why the current behavior exists, something he refers to as “spyglass attack”. I’d have to go back and review the explanation. What I recall the outcome being a few options, one of which was prompting the user that they are about to be promoted for MFA before issuing the challenge, to give the user time to prepare.

In T15161#4416, @avivey wrote:

I agree with this, but I think we should let this wait for broader discussion - there maybe good counter-arguments.