Feature #35439 » 0001-Option-to-require-2FA-authentication-only-for-users-.patch
| app/models/setting.rb | ||
|---|---|---|
| 247 | 247 |
twofa == '1' |
| 248 | 248 |
end |
| 249 | 249 | |
| 250 |
def self.twofa_required_for_administrators? |
|
| 251 |
twofa == '3' |
|
| 252 |
end |
|
| 253 | ||
| 250 | 254 |
# Helper that returns an array based on per_page_options setting |
| 251 | 255 |
def self.per_page_options_array |
| 252 | 256 |
per_page_options.split(%r{[\s,]}).collect(&:to_i).select {|n| n > 0}.sort
|
| app/models/user.rb | ||
|---|---|---|
| 386 | 386 |
def must_activate_twofa? |
| 387 | 387 |
( |
| 388 | 388 |
Setting.twofa_required? || |
| 389 |
(Setting.twofa_required_for_administrators? && admin?) || |
|
| 389 | 390 |
(Setting.twofa_optional? && groups.any?(&:twofa_required?)) |
| 390 | 391 |
) && !twofa_active? |
| 391 | 392 |
end |
| app/views/settings/_authentication.html.erb | ||
|---|---|---|
| 31 | 31 |
<p> |
| 32 | 32 |
<%= setting_select :twofa, [[l(:label_disabled), "0"], |
| 33 | 33 |
[l(:label_optional), "1"], |
| 34 |
[l(:label_required_lower), "2"]] -%> |
|
| 34 |
[l(:label_required_lower), "2"], |
|
| 35 |
[l(:label_required_administrators), "3"]] -%> |
|
| 35 | 36 |
<em class="info"> |
| 36 | 37 |
<%= t 'twofa_hint_disabled_html', label: t(:label_disabled) -%><br/> |
| 37 | 38 |
<%= t 'twofa_hint_optional_html', label: t(:label_optional) -%><br/> |
| 38 |
<%= t 'twofa_hint_required_html', label: t(:label_required_lower) -%> |
|
| 39 |
<%= t 'twofa_hint_required_html', label: t(:label_required_lower) -%><br/> |
|
| 40 |
<%= t 'twofa_hint_required_administrators_html', label: t(:label_required_administrators) -%> |
|
| 39 | 41 |
</em> |
| 40 | 42 |
</p> |
| 41 | 43 | |
| ... | ... | |
| 48 | 50 |
<p><%= setting_select :session_lifetime, session_lifetime_options %></p> |
| 49 | 51 |
<p><%= setting_select :session_timeout, session_timeout_options %></p> |
| 50 | 52 |
</div> |
| 51 |
|
|
| 53 | ||
| 52 | 54 |
<p><em class="info"><%= l(:text_session_expiration_settings) %></em></p> |
| 53 | 55 |
</fieldset> |
| 54 | 56 | |
| config/additional_environment.rb.example | ||
|---|---|---|
| 7 | 7 |
# config.log_level = :debug |
| 8 | 8 |
# ... |
| 9 | 9 |
# |
| 10 | ||
| config/locales/en.yml | ||
|---|---|---|
| 1019 | 1019 |
label_readonly: Read-only |
| 1020 | 1020 |
label_required: Required |
| 1021 | 1021 |
label_required_lower: required |
| 1022 |
label_required_administrators: required for administrators |
|
| 1022 | 1023 |
label_hidden: Hidden |
| 1023 | 1024 |
label_attribute_of_project: "Project's %{name}"
|
| 1024 | 1025 |
label_attribute_of_issue: "Issue's %{name}"
|
| ... | ... | |
| 1349 | 1350 |
twofa_hint_disabled_html: Setting <strong>%{label}</strong> will deactivate and unpair two-factor authentication devices for all users.
|
| 1350 | 1351 |
twofa_hint_optional_html: Setting <strong>%{label}</strong> will let users set up two-factor authentication at will, unless it is required by one of their groups.
|
| 1351 | 1352 |
twofa_hint_required_html: Setting <strong>%{label}</strong> will require all users to set up two-factor authentication at their next login.
|
| 1353 |
twofa_hint_required_administrators_html: Setting <strong>%{label}</strong> will require all users with administration rights to set up two-factor authentication at their next login.
|
|
| 1352 | 1354 |
twofa_label_setup: Enable two-factor authentication |
| 1353 | 1355 |
twofa_label_deactivation_confirmation: Disable two-factor authentication |
| 1354 | 1356 |
twofa_notice_select: "Please select the two-factor scheme you would like to use:" |
| test/integration/twofa_test.rb | ||
|---|---|---|
| 31 | 31 |
end |
| 32 | 32 |
end |
| 33 | 33 | |
| 34 |
test "should require twofa setup when required for administrators" do |
|
| 35 |
user = User.find_by_login 'admin' |
|
| 36 |
assert_not user.must_activate_twofa? |
|
| 37 | ||
| 38 |
with_settings twofa: "3" do |
|
| 39 |
assert_not Setting.twofa_optional? |
|
| 40 |
assert_not Setting.twofa_required? |
|
| 41 |
assert Setting.twofa_required_for_administrators? |
|
| 42 |
assert user.must_activate_twofa? |
|
| 43 |
log_user('admin', 'admin')
|
|
| 44 |
follow_redirect! |
|
| 45 |
assert_redirected_to "/my/twofa/totp/activate/confirm" |
|
| 46 |
end |
|
| 47 |
end |
|
| 48 | ||
| 34 | 49 |
test "should require twofa setup when required by group" do |
| 35 | 50 |
user = User.find_by_login 'jsmith' |
| 36 | 51 |
assert_not user.must_activate_twofa? |
