From b6d9211091e8d35f638b67b2b25fb3b00fb93134 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Fri, 30 Oct 2015 00:04:56 +0800
Subject: Bug 1213757 - delegate password and 2fa resets to servicedesk

---
 Bugzilla/User.pm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'Bugzilla/User.pm')

diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index d2de6b548..ebd82002f 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -270,6 +270,9 @@ sub update {
     }
 
     if (exists $changes->{mfa} && $self->mfa eq '') {
+        if (Bugzilla->user->id != $self->id) {
+            Bugzilla->audit(sprintf('%s disabled 2FA for %s', Bugzilla->user->login, $self->login));
+        }
         $dbh->do("DELETE FROM profile_mfa WHERE user_id = ?", undef, $self->id);
     }
 
@@ -369,6 +372,16 @@ sub _check_mfa {
     $provider = lc($provider // '');
     return 'TOTP' if $provider eq 'totp';
     return 'Duo' if $provider eq 'duo';
+
+    # you must be member of the bz_can_disable_mfa group to disable mfa for
+    # other accounts.
+    if ($provider eq '') {
+        my $user = Bugzilla->user;
+        if ($user->id != $self->id && !$user->in_group('bz_can_disable_mfa')) {
+            ThrowUserError('mfa_disable_denied');
+        }
+    }
+
     return '';
 }
 
-- 
cgit v1.2.3-24-g4f1b