0001-Option-to-require-2FA-authentication-only-for-users-.patch - Redmine

       end
       def self.twofa_optional?
         twofa == '1'
         %w[1 3].include? twofa
       end
       def self.twofa_required_for_administrators?
         twofa == '3'
       end
       # Helper that returns an array based on per_page_options setting

app/models/user.rb
387	387	return false if twofa_active?
388	388
389	389	return true if Setting.twofa_required?
	390	return true if Setting.twofa_required_for_administrators? && admin?
390	391	return true if Setting.twofa_optional? && groups.any?(&:twofa_required?)
391	392	end
392	393

     <p>
       <%= setting_select :twofa, [[l(:label_disabled), "0"],
                                   [l(:label_optional), "1"],
                                   [l(:label_required_administrators), "3"],
                                   [l(:label_required_lower), "2"]] -%>
       <em class="info">
         <%= t 'twofa_hint_disabled_html', label: t(:label_disabled) -%><br/>
         <%= t 'twofa_hint_optional_html', label: t(:label_optional) -%><br/>
         <%= t 'twofa_hint_required_administrators_html', label: t(:label_required_administrators) -%><br/>
         <%= t 'twofa_hint_required_html', label: t(:label_required_lower) -%>
       </em>
     </p>
-...
         <p><%= setting_select :session_lifetime, session_lifetime_options %></p>
         <p><%= setting_select :session_timeout, session_timeout_options %></p>
       </div>
       <p><em class="info"><%= l(:text_session_expiration_settings) %></em></p>
     </fieldset>

       label_readonly: Read-only
       label_required: Required
       label_required_lower: required
       label_required_administrators: required for administrators
       label_hidden: Hidden
       label_attribute_of_project: "Project's %{name}"
       label_attribute_of_issue: "Issue's %{name}"
-...
       twofa_hint_disabled_html: Setting <strong>%{label}</strong> will deactivate and unpair two-factor authentication devices for all users.
       twofa_hint_optional_html: Setting <strong>%{label}</strong> will let users set up two-factor authentication at will, unless it is required by one of their groups.
       twofa_hint_required_html: Setting <strong>%{label}</strong> will require all users to set up two-factor authentication at their next login.
       twofa_hint_required_administrators_html: Setting <strong>%{label}</strong> behaves like optional, but will require all users with administration rights to set up two-factor authentication at their next login.
       twofa_label_setup: Enable two-factor authentication
       twofa_label_deactivation_confirmation: Disable two-factor authentication
       twofa_notice_select: "Please select the two-factor scheme you would like to use:"

         end
       end
       test "should require twofa setup when required for administrators" do
         admin = User.find_by_login 'admin'
         user = User.find_by_login 'jsmith'
         assert_not admin.must_activate_twofa?
         assert_not user.must_activate_twofa?
         with_settings twofa: "3" do
           assert_not Setting.twofa_required?
           assert Setting.twofa_optional?
           assert Setting.twofa_required_for_administrators?
           assert admin.must_activate_twofa?
           assert_not user.must_activate_twofa?
           log_user('admin', 'admin')
           follow_redirect!
           assert_redirected_to "/my/twofa/totp/activate/confirm"
         end
       end
       test "should require twofa setup when required by group" do
         user = User.find_by_login 'jsmith'
         assert_not user.must_activate_twofa?

Redmine