From b6d9211091e8d35f638b67b2b25fb3b00fb93134 Mon Sep 17 00:00:00 2001 From: Byron Jones Date: Fri, 30 Oct 2015 00:04:56 +0800 Subject: Bug 1213757 - delegate password and 2fa resets to servicedesk --- Bugzilla/Install.pm | 4 ++++ Bugzilla/User.pm | 13 +++++++++++++ editusers.cgi | 3 +-- .../en/default/account/email/encryption-required.txt.tmpl | 10 +++++++++- template/en/default/admin/users/userdata.html.tmpl | 2 +- template/en/default/global/user-error.html.tmpl | 4 ++++ 6 files changed, 32 insertions(+), 4 deletions(-) diff --git a/Bugzilla/Install.pm b/Bugzilla/Install.pm index 715251154..97b8b677c 100644 --- a/Bugzilla/Install.pm +++ b/Bugzilla/Install.pm @@ -247,6 +247,10 @@ use constant SYSTEM_GROUPS => ( name => 'bz_quip_moderators', description => 'Can moderate quips', }, + { + name => 'bz_can_disable_mfa', + description => 'Can disable MFA when editing users', + }, ); use constant DEFAULT_CLASSIFICATION => { diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index d2de6b548..ebd82002f 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -270,6 +270,9 @@ sub update { } if (exists $changes->{mfa} && $self->mfa eq '') { + if (Bugzilla->user->id != $self->id) { + Bugzilla->audit(sprintf('%s disabled 2FA for %s', Bugzilla->user->login, $self->login)); + } $dbh->do("DELETE FROM profile_mfa WHERE user_id = ?", undef, $self->id); } @@ -369,6 +372,16 @@ sub _check_mfa { $provider = lc($provider // ''); return 'TOTP' if $provider eq 'totp'; return 'Duo' if $provider eq 'duo'; + + # you must be member of the bz_can_disable_mfa group to disable mfa for + # other accounts. + if ($provider eq '') { + my $user = Bugzilla->user; + if ($user->id != $self->id && !$user->in_group('bz_can_disable_mfa')) { + ThrowUserError('mfa_disable_denied'); + } + } + return ''; } diff --git a/editusers.cgi b/editusers.cgi index c7851d00a..c3ea9a49e 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -270,9 +270,8 @@ if ($action eq 'search') { ? $cgi->param('password_change_reason') : '' ); - if ($user->in_group('admin') && $otherUser->mfa && $cgi->param('mfa') eq '') { + if ($user->in_group('bz_can_disable_mfa') && $otherUser->mfa && $cgi->param('mfa') eq '') { $otherUser->set_mfa(''); - Bugzilla->audit(sprintf('%s disabled 2FA for %s', $user->login, $otherUser->login)); } $changes = $otherUser->update(); } diff --git a/extensions/SecureMail/template/en/default/account/email/encryption-required.txt.tmpl b/extensions/SecureMail/template/en/default/account/email/encryption-required.txt.tmpl index 3817f4fa1..55b716864 100644 --- a/extensions/SecureMail/template/en/default/account/email/encryption-required.txt.tmpl +++ b/extensions/SecureMail/template/en/default/account/email/encryption-required.txt.tmpl @@ -1,3 +1,11 @@ +[%# This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + # + # This Source Code Form is "Incompatible With Secondary Licenses", as + # defined by the Mozilla Public License, v. 2.0. + #%] + This email would have contained sensitive information, but you have not set a PGP/GPG key or SMIME certificate in the "Secure Mail" section of your user preferences. @@ -13,5 +21,5 @@ You can see this bug's current state at: [%+ urlbase %]show_bug.cgi?id=[% bug_id %] [% END %] [% ELSIF email_type == 'admin' %] -You will have to contact [% maintainer %] to reset your password. +You will have to contact servicedesk@mozilla.com to reset your password. [% END %] diff --git a/template/en/default/admin/users/userdata.html.tmpl b/template/en/default/admin/users/userdata.html.tmpl index a455ef84b..449a1b143 100644 --- a/template/en/default/admin/users/userdata.html.tmpl +++ b/template/en/default/admin/users/userdata.html.tmpl @@ -126,7 +126,7 @@ - [% IF user.in_group('admin') %] + [% IF user.in_group('bz_can_disable_mfa') %] [% IF otheruser.mfa %]