Feature #35439 » 0001-Option-to-require-2FA-authentication-only-for-users-.patch
| app/models/user.rb | ||
|---|---|---|
| 386 | 386 |
def must_activate_twofa? |
| 387 | 387 |
( |
| 388 | 388 |
Setting.twofa_required? || |
| 389 |
(Setting.twofa_optional? && groups.any?(&:twofa_required?)) |
|
| 389 |
( |
|
| 390 |
Setting.twofa_optional? && ( |
|
| 391 |
groups.any?(&:twofa_required?) || |
|
| 392 |
(Setting.twofa_required_for_administrators? && self.admin) |
|
| 393 |
) |
|
| 394 |
) |
|
| 390 | 395 |
) && !twofa_active? |
| 391 | 396 |
end |
| 392 | 397 | |
| app/views/settings/_authentication.html.erb | ||
|---|---|---|
| 37 | 37 |
<%= t 'twofa_hint_optional_html', label: t(:label_optional) -%><br/> |
| 38 | 38 |
<%= t 'twofa_hint_required_html', label: t(:label_required_lower) -%> |
| 39 | 39 |
</em> |
| 40 |
<span id="twofa_optional" class="<%= "hidden" unless Setting.twofa == "1" %>"> |
|
| 41 |
<label class="block"> |
|
| 42 |
<%= setting_check_box :twofa_required_for_administrators, label: false %> |
|
| 43 |
<%= l(:setting_twofa_required_for_administrators) %> |
|
| 44 |
</label> |
|
| 45 |
</span> |
|
| 40 | 46 |
</p> |
| 41 | 47 | |
| 42 | 48 |
</div> |
| ... | ... | |
| 54 | 60 | |
| 55 | 61 |
<%= submit_tag l(:button_save) %> |
| 56 | 62 |
<% end %> |
| 63 | ||
| 64 |
<%= javascript_tag do %> |
|
| 65 |
$('#settings_twofa').on('change', function(e){
|
|
| 66 |
const twofa = e.target.value; |
|
| 67 |
const parent_block = document.getElementById("twofa_optional");
|
|
| 68 | ||
| 69 |
if (twofa == "1") {
|
|
| 70 |
parent_block.classList.remove('hidden');
|
|
| 71 |
} else {
|
|
| 72 |
parent_block.classList.add('hidden');
|
|
| 73 |
} |
|
| 74 |
}); |
|
| 75 |
<% end %> |
|
| config/locales/en.yml | ||
|---|---|---|
| 508 | 508 |
setting_show_status_changes_in_mail_subject: Show status changes in issue mail notifications subject |
| 509 | 509 |
setting_project_list_defaults: Projects list defaults |
| 510 | 510 |
setting_twofa: Two-factor authentication |
| 511 |
setting_twofa_required_for_administrators: Require two-factor authentication for administrators |
|
| 511 | 512 | |
| 512 | 513 |
permission_add_project: Create project |
| 513 | 514 |
permission_add_subprojects: Create subprojects |
| config/settings.yml | ||
|---|---|---|
| 37 | 37 |
twofa: |
| 38 | 38 |
default: 1 |
| 39 | 39 |
security_notifications: 1 |
| 40 |
twofa_required_for_administrators: |
|
| 41 |
default: 0 |
|
| 42 |
security_notifications: 1 |
|
| 40 | 43 |
unsubscribe: |
| 41 | 44 |
default: 1 |
| 42 | 45 |
password_required_char_classes: |
| test/integration/twofa_test.rb | ||
|---|---|---|
| 31 | 31 |
end |
| 32 | 32 |
end |
| 33 | 33 | |
| 34 |
test "should require twofa setup when required for administrators" do |
|
| 35 |
user = User.find_by_login 'admin' |
|
| 36 |
assert_not user.must_activate_twofa? |
|
| 37 | ||
| 38 |
with_settings twofa: "0", twofa_required_for_administrators: "1" do |
|
| 39 |
assert_not Setting.twofa_optional? |
|
| 40 |
assert_not Setting.twofa_required? |
|
| 41 |
assert_not user.must_activate_twofa? |
|
| 42 |
end |
|
| 43 | ||
| 44 |
with_settings twofa: "1", twofa_required_for_administrators: "1" do |
|
| 45 |
assert Setting.twofa_optional? |
|
| 46 |
assert_not Setting.twofa_required? |
|
| 47 |
assert user.must_activate_twofa? |
|
| 48 |
log_user('admin', 'admin')
|
|
| 49 |
follow_redirect! |
|
| 50 |
assert_redirected_to "/my/twofa/totp/activate/confirm" |
|
| 51 |
end |
|
| 52 |
end |
|
| 53 | ||
| 34 | 54 |
test "should require twofa setup when required by group" do |
| 35 | 55 |
user = User.find_by_login 'jsmith' |
| 36 | 56 |
assert_not user.must_activate_twofa? |
