Allow team admins to require two-factor authentication (#4034)

* Allow team admins to require two-factor authentication * Add API tests * Improve logic * ADd button tooltip
2024-04-02 17:15:16 +02:00
parent 50838b9cea
commit 4ea4189e6d
18 changed files with 282 additions and 30 deletions
--- a/src/pretix/api/auth/permission.py
+++ b/src/pretix/api/auth/permission.py
@@ -39,7 +39,8 @@ from pretix.base.models import Device, Event, User
 from pretix.base.models.auth import SuperuserPermissionSet
 from pretix.base.models.organizer import TeamAPIToken
 from pretix.helpers.security import (
-    SessionInvalid, SessionReauthRequired, assert_session_valid,
+    Session2FASetupRequired, SessionInvalid, SessionPasswordChangeRequired,
+    SessionReauthRequired, assert_session_valid,
 )


@@ -66,6 +67,10 @@ class EventPermission(BasePermission):
                return False
            except SessionReauthRequired:
                return False
+            except Session2FASetupRequired:
+                return False
+            except SessionPasswordChangeRequired:
+                return False

        perm_holder = (request.auth if isinstance(request.auth, (Device, TeamAPIToken))
                       else request.user)
@@ -144,6 +149,10 @@ class ProfilePermission(BasePermission):
                return False
            except SessionReauthRequired:
                return False
+            except Session2FASetupRequired:
+                return False
+            except SessionPasswordChangeRequired:
+                return False

        if isinstance(request.auth, OAuthAccessToken):
            if not (request.auth.allow_scopes(['read']) or request.auth.allow_scopes(['profile'])) and request.method in SAFE_METHODS:
@@ -166,5 +175,9 @@ class AnyAuthenticatedClientPermission(BasePermission):
                return False
            except SessionReauthRequired:
                return False
+            except Session2FASetupRequired:
+                return False
+            except SessionPasswordChangeRequired:
+                return False

        return True
--- a/src/pretix/api/serializers/organizer.py
+++ b/src/pretix/api/serializers/organizer.py
@@ -239,7 +239,7 @@ class TeamSerializer(serializers.ModelSerializer):
    class Meta:
        model = Team
        fields = (
-            'id', 'name', 'all_events', 'limit_events', 'can_create_events', 'can_change_teams',
+            'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'can_create_events', 'can_change_teams',
            'can_change_organizer_settings', 'can_manage_gift_cards', 'can_change_event_settings',
            'can_change_items', 'can_view_orders', 'can_change_orders', 'can_view_vouchers',
            'can_change_vouchers', 'can_checkin_orders', 'can_manage_customers', 'can_manage_reusable_media'