git-svn-id: http://svn.redmine.org/redmine/trunk@21395 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/5.0.0
@@ -244,7 +244,11 @@ class Setting < ActiveRecord::Base | |||
end | |||
def self.twofa_optional? | |||
twofa == '1' | |||
%w[1 3].include? twofa | |||
end | |||
def self.twofa_required_for_administrators? | |||
twofa == '3' | |||
end | |||
# Helper that returns an array based on per_page_options setting |
@@ -387,6 +387,7 @@ class User < Principal | |||
return false if twofa_active? | |||
return true if Setting.twofa_required? | |||
return true if Setting.twofa_required_for_administrators? && admin? | |||
return true if Setting.twofa_optional? && groups.any?(&:twofa_required?) | |||
end | |||
@@ -31,10 +31,12 @@ | |||
<p> | |||
<%= setting_select :twofa, [[l(:label_disabled), "0"], | |||
[l(:label_optional), "1"], | |||
[l(:label_required_administrators), "3"], | |||
[l(:label_required_lower), "2"]] -%> | |||
<em class="info"> | |||
<%= t 'twofa_hint_disabled_html', label: t(:label_disabled) -%><br/> | |||
<%= t 'twofa_hint_optional_html', label: t(:label_optional) -%><br/> | |||
<%= t 'twofa_hint_required_administrators_html', label: t(:label_required_administrators) -%><br/> | |||
<%= t 'twofa_hint_required_html', label: t(:label_required_lower) -%> | |||
</em> | |||
</p> | |||
@@ -48,7 +50,7 @@ | |||
<p><%= setting_select :session_lifetime, session_lifetime_options %></p> | |||
<p><%= setting_select :session_timeout, session_timeout_options %></p> | |||
</div> | |||
<p><em class="info"><%= l(:text_session_expiration_settings) %></em></p> | |||
</fieldset> | |||
@@ -1019,6 +1019,7 @@ en: | |||
label_readonly: Read-only | |||
label_required: Required | |||
label_required_lower: required | |||
label_required_administrators: required for administrators | |||
label_hidden: Hidden | |||
label_attribute_of_project: "Project's %{name}" | |||
label_attribute_of_issue: "Issue's %{name}" | |||
@@ -1349,6 +1350,7 @@ en: | |||
twofa_hint_disabled_html: Setting <strong>%{label}</strong> will deactivate and unpair two-factor authentication devices for all users. | |||
twofa_hint_optional_html: Setting <strong>%{label}</strong> will let users set up two-factor authentication at will, unless it is required by one of their groups. | |||
twofa_hint_required_html: Setting <strong>%{label}</strong> will require all users to set up two-factor authentication at their next login. | |||
twofa_hint_required_administrators_html: Setting <strong>%{label}</strong> behaves like optional, but will require all users with administration rights to set up two-factor authentication at their next login. | |||
twofa_label_setup: Enable two-factor authentication | |||
twofa_label_deactivation_confirmation: Disable two-factor authentication | |||
twofa_notice_select: "Please select the two-factor scheme you would like to use:" |
@@ -31,6 +31,27 @@ class TwofaTest < Redmine::IntegrationTest | |||
end | |||
end | |||
test "should require twofa setup when required for administrators" do | |||
admin = User.find_by_login 'admin' | |||
user = User.find_by_login 'jsmith' | |||
assert_not admin.must_activate_twofa? | |||
assert_not user.must_activate_twofa? | |||
with_settings twofa: "3" do | |||
assert_not Setting.twofa_required? | |||
assert Setting.twofa_optional? | |||
assert Setting.twofa_required_for_administrators? | |||
assert admin.must_activate_twofa? | |||
assert_not user.must_activate_twofa? | |||
log_user('admin', 'admin') | |||
follow_redirect! | |||
assert_redirected_to "/my/twofa/totp/activate/confirm" | |||
end | |||
end | |||
test "should require twofa setup when required by group" do | |||
user = User.find_by_login 'jsmith' | |||
assert_not user.must_activate_twofa? |