Add setting for enforcing 2FA (#1259)

* Add setting for enforcing 2FA * Changes after code-review * Add Test-Cases for Obligatory 2FA
2019-06-17 17:08:27 +02:00
parent c5a2bd35b7
commit 0a1429ed60
5 changed files with 75 additions and 3 deletions
--- a/src/pretix/control/middleware.py
+++ b/src/pretix/control/middleware.py
@@ -35,6 +35,19 @@ class PermissionMiddleware:
        "user.settings.notifications.off",
    )

+    EXCEPTIONS_2FA = (
+        "user.settings.2fa",
+        "user.settings.2fa.add",
+        "user.settings.2fa.enable",
+        "user.settings.2fa.disable",
+        "user.settings.2fa.regenemergency",
+        "user.settings.2fa.confirm.totp",
+        "user.settings.2fa.confirm.u2f",
+        "user.settings.2fa.delete",
+        "auth.logout",
+        "user.reauth"
+    )
+
    def __init__(self, get_response=None):
        self.get_response = get_response
        super().__init__()
@@ -83,6 +96,10 @@ class PermissionMiddleware:
            if url_name not in ('user.reauth', 'auth.logout'):
                return redirect(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path()))

+        if not request.user.require_2fa and settings.PRETIX_OBLIGATORY_2FA \
+                and url_name not in self.EXCEPTIONS_2FA:
+            return redirect(reverse('control:user.settings.2fa'))
+
        if 'event' in url.kwargs and 'organizer' in url.kwargs:
            with scope(organizer=None):
                request.event = Event.objects.filter(
--- a/src/pretix/control/templates/pretixcontrol/user/2fa_main.html
+++ b/src/pretix/control/templates/pretixcontrol/user/2fa_main.html
@@ -11,15 +11,35 @@
            smartphone or a hardware token generator and that changes on a regular basis.
        {% endblocktrans %}
    </p>
+    {% if settings.PRETIX_OBLIGATORY_2FA %}
+        <div class="panel panel-warning">
+            <div class="panel-heading">
+                <h3 class="panel-title">{% trans "Obligatory usage of two-factor authentication" %}</h3>
+            </div>
+            <div class="panel-body">
+                <p>
+                    <strong>{% trans "This system enforces the usage of two-factor authentication!" %}</strong>
+                </p>
+            {% if not devices %}
+                <p>{% trans "Please set up at least one device below." %}</p>
+            {% elif not user.require_2fa %}
+                <p>{% trans "Please activate two-factor authentication using the button below." %}</p>
+            {% endif %}
+            </div>
+        </div>
+
+    {% endif %}
    {% if user.require_2fa %}
        <div class="panel panel-success">
            <div class="panel-heading">
                <h3 class="panel-title">{% trans "Two-factor status" %}</h3>
            </div>
            <div class="panel-body">
-                <a href="{% url "control:user.settings.2fa.disable" %}" class="btn btn-primary pull-right">
-                    {% trans "Disable" %}
-                </a>
+                {% if not settings.PRETIX_OBLIGATORY_2FA %}
+                    <a href="{% url "control:user.settings.2fa.disable" %}" class="btn btn-primary pull-right">
+                        {% trans "Disable" %}
+                    </a>
+                {% endif %}
                <p>
                    <strong>{% trans "Two-factor authentication is currently enabled." %}</strong>
                </p>