diff options
| author | Byron Jones <glob@mozilla.com> | 2015-10-29 17:04:56 +0100 |
|---|---|---|
| committer | Byron Jones <glob@mozilla.com> | 2015-10-29 17:04:56 +0100 |
| commit | b6d9211091e8d35f638b67b2b25fb3b00fb93134 (patch) | |
| tree | 2d69ff90d8f2aa2255812b621e09bee6361b6c67 | |
| parent | 175f9c1022672ae8d47c93ad0cf31084eb868ecb (diff) | |
| download | bugzilla-b6d9211091e8d35f638b67b2b25fb3b00fb93134.tar.gz bugzilla-b6d9211091e8d35f638b67b2b25fb3b00fb93134.tar.xz | |
Bug 1213757 - delegate password and 2fa resets to servicedesk
| -rw-r--r-- | Bugzilla/Install.pm | 4 | ||||
| -rw-r--r-- | Bugzilla/User.pm | 13 | ||||
| -rwxr-xr-x | editusers.cgi | 3 | ||||
| -rw-r--r-- | extensions/SecureMail/template/en/default/account/email/encryption-required.txt.tmpl | 10 | ||||
| -rw-r--r-- | template/en/default/admin/users/userdata.html.tmpl | 2 | ||||
| -rw-r--r-- | template/en/default/global/user-error.html.tmpl | 4 |
6 files changed, 32 insertions, 4 deletions
diff --git a/Bugzilla/Install.pm b/Bugzilla/Install.pm index 715251154..97b8b677c 100644 --- a/Bugzilla/Install.pm +++ b/Bugzilla/Install.pm @@ -247,6 +247,10 @@ use constant SYSTEM_GROUPS => ( name => 'bz_quip_moderators', description => 'Can moderate quips', }, + { + name => 'bz_can_disable_mfa', + description => 'Can disable MFA when editing users', + }, ); use constant DEFAULT_CLASSIFICATION => { diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index d2de6b548..ebd82002f 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -270,6 +270,9 @@ sub update { } if (exists $changes->{mfa} && $self->mfa eq '') { + if (Bugzilla->user->id != $self->id) { + Bugzilla->audit(sprintf('%s disabled 2FA for %s', Bugzilla->user->login, $self->login)); + } $dbh->do("DELETE FROM profile_mfa WHERE user_id = ?", undef, $self->id); } @@ -369,6 +372,16 @@ sub _check_mfa { $provider = lc($provider // ''); return 'TOTP' if $provider eq 'totp'; return 'Duo' if $provider eq 'duo'; + + # you must be member of the bz_can_disable_mfa group to disable mfa for + # other accounts. + if ($provider eq '') { + my $user = Bugzilla->user; + if ($user->id != $self->id && !$user->in_group('bz_can_disable_mfa')) { + ThrowUserError('mfa_disable_denied'); + } + } + return ''; } diff --git a/editusers.cgi b/editusers.cgi index c7851d00a..c3ea9a49e 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -270,9 +270,8 @@ if ($action eq 'search') { ? $cgi->param('password_change_reason') : '' ); - if ($user->in_group('admin') && $otherUser->mfa && $cgi->param('mfa') eq '') { + if ($user->in_group('bz_can_disable_mfa') && $otherUser->mfa && $cgi->param('mfa') eq '') { $otherUser->set_mfa(''); - Bugzilla->audit(sprintf('%s disabled 2FA for %s', $user->login, $otherUser->login)); } $changes = $otherUser->update(); } diff --git a/extensions/SecureMail/template/en/default/account/email/encryption-required.txt.tmpl b/extensions/SecureMail/template/en/default/account/email/encryption-required.txt.tmpl index 3817f4fa1..55b716864 100644 --- a/extensions/SecureMail/template/en/default/account/email/encryption-required.txt.tmpl +++ b/extensions/SecureMail/template/en/default/account/email/encryption-required.txt.tmpl @@ -1,3 +1,11 @@ +[%# This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + # + # This Source Code Form is "Incompatible With Secondary Licenses", as + # defined by the Mozilla Public License, v. 2.0. + #%] + This email would have contained sensitive information, but you have not set a PGP/GPG key or SMIME certificate in the "Secure Mail" section of your user preferences. @@ -13,5 +21,5 @@ You can see this bug's current state at: [%+ urlbase %]show_bug.cgi?id=[% bug_id %] [% END %] [% ELSIF email_type == 'admin' %] -You will have to contact [% maintainer %] to reset your password. +You will have to contact servicedesk@mozilla.com to reset your password. [% END %] diff --git a/template/en/default/admin/users/userdata.html.tmpl b/template/en/default/admin/users/userdata.html.tmpl index a455ef84b..449a1b143 100644 --- a/template/en/default/admin/users/userdata.html.tmpl +++ b/template/en/default/admin/users/userdata.html.tmpl @@ -126,7 +126,7 @@ <tr> <th><label for="mfa">Two-factor Auth:</label></th> <td> - [% IF user.in_group('admin') %] + [% IF user.in_group('bz_can_disable_mfa') %] [% IF otheruser.mfa %] <select name="mfa" value="mfa"> <option value="">Disable</option> diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 66573ecb1..6996832aa 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1220,6 +1220,10 @@ <br> The QR code has been deleted - please generate and scan a new code. + [% ELSIF error == "mfa_disable_denied" %] + [% title = "Change Denied" %] + You do not have permission to disable MFA for other users. + [% ELSIF error == "migrate_config_created" %] The file <kbd>[% file FILTER html %]</kbd> contains configuration variables that must be set before continuing with the migration. |