diff options
| author | Byron Jones <glob@mozilla.com> | 2015-10-29 17:04:56 +0100 |
|---|---|---|
| committer | Byron Jones <glob@mozilla.com> | 2015-10-29 17:04:56 +0100 |
| commit | b6d9211091e8d35f638b67b2b25fb3b00fb93134 (patch) | |
| tree | 2d69ff90d8f2aa2255812b621e09bee6361b6c67 /Bugzilla | |
| parent | 175f9c1022672ae8d47c93ad0cf31084eb868ecb (diff) | |
| download | bugzilla-b6d9211091e8d35f638b67b2b25fb3b00fb93134.tar.gz bugzilla-b6d9211091e8d35f638b67b2b25fb3b00fb93134.tar.xz | |
Bug 1213757 - delegate password and 2fa resets to servicedesk
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/Install.pm | 4 | ||||
| -rw-r--r-- | Bugzilla/User.pm | 13 |
2 files changed, 17 insertions, 0 deletions
diff --git a/Bugzilla/Install.pm b/Bugzilla/Install.pm index 715251154..97b8b677c 100644 --- a/Bugzilla/Install.pm +++ b/Bugzilla/Install.pm @@ -247,6 +247,10 @@ use constant SYSTEM_GROUPS => ( name => 'bz_quip_moderators', description => 'Can moderate quips', }, + { + name => 'bz_can_disable_mfa', + description => 'Can disable MFA when editing users', + }, ); use constant DEFAULT_CLASSIFICATION => { diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index d2de6b548..ebd82002f 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -270,6 +270,9 @@ sub update { } if (exists $changes->{mfa} && $self->mfa eq '') { + if (Bugzilla->user->id != $self->id) { + Bugzilla->audit(sprintf('%s disabled 2FA for %s', Bugzilla->user->login, $self->login)); + } $dbh->do("DELETE FROM profile_mfa WHERE user_id = ?", undef, $self->id); } @@ -369,6 +372,16 @@ sub _check_mfa { $provider = lc($provider // ''); return 'TOTP' if $provider eq 'totp'; return 'Duo' if $provider eq 'duo'; + + # you must be member of the bz_can_disable_mfa group to disable mfa for + # other accounts. + if ($provider eq '') { + my $user = Bugzilla->user; + if ($user->id != $self->id && !$user->in_group('bz_can_disable_mfa')) { + ThrowUserError('mfa_disable_denied'); + } + } + return ''; } |