summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorByron Jones <glob@mozilla.com>2015-10-29 17:04:56 +0100
committerByron Jones <glob@mozilla.com>2015-10-29 17:04:56 +0100
commitb6d9211091e8d35f638b67b2b25fb3b00fb93134 (patch)
tree2d69ff90d8f2aa2255812b621e09bee6361b6c67 /Bugzilla
parent175f9c1022672ae8d47c93ad0cf31084eb868ecb (diff)
downloadbugzilla-b6d9211091e8d35f638b67b2b25fb3b00fb93134.tar.gz
bugzilla-b6d9211091e8d35f638b67b2b25fb3b00fb93134.tar.xz
Bug 1213757 - delegate password and 2fa resets to servicedesk
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Install.pm4
-rw-r--r--Bugzilla/User.pm13
2 files changed, 17 insertions, 0 deletions
diff --git a/Bugzilla/Install.pm b/Bugzilla/Install.pm
index 715251154..97b8b677c 100644
--- a/Bugzilla/Install.pm
+++ b/Bugzilla/Install.pm
@@ -247,6 +247,10 @@ use constant SYSTEM_GROUPS => (
name => 'bz_quip_moderators',
description => 'Can moderate quips',
},
+ {
+ name => 'bz_can_disable_mfa',
+ description => 'Can disable MFA when editing users',
+ },
);
use constant DEFAULT_CLASSIFICATION => {
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index d2de6b548..ebd82002f 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -270,6 +270,9 @@ sub update {
}
if (exists $changes->{mfa} && $self->mfa eq '') {
+ if (Bugzilla->user->id != $self->id) {
+ Bugzilla->audit(sprintf('%s disabled 2FA for %s', Bugzilla->user->login, $self->login));
+ }
$dbh->do("DELETE FROM profile_mfa WHERE user_id = ?", undef, $self->id);
}
@@ -369,6 +372,16 @@ sub _check_mfa {
$provider = lc($provider // '');
return 'TOTP' if $provider eq 'totp';
return 'Duo' if $provider eq 'duo';
+
+ # you must be member of the bz_can_disable_mfa group to disable mfa for
+ # other accounts.
+ if ($provider eq '') {
+ my $user = Bugzilla->user;
+ if ($user->id != $self->id && !$user->in_group('bz_can_disable_mfa')) {
+ ThrowUserError('mfa_disable_denied');
+ }
+ }
+
return '';
}