1 files changed, 15 insertions, 1 deletions

diff --git a/app/controllers/twofa_controller.rb b/app/controllers/twofa_controller.rb
index 446d2f105..3023caa9b 100644
--- a/app/controllers/twofa_controller.rb
+++ b/app/controllers/twofa_controller.rb
@@ -27,10 +27,14 @@ class TwofaController < ApplicationController
 
   before_action :require_active_twofa
 
-  require_sudo_mode :activate_init, :deactivate_init
+  require_sudo_mode :select_scheme,
+                    :activate_init, :activate_confirm, :activate,
+                    :deactivate_init, :deactivate_confirm, :deactivate
 
   skip_before_action :check_twofa_activation, only: [:select_scheme, :activate_init, :activate_confirm, :activate]
 
+  before_action :ensure_user_has_no_twofa, only: [:select_scheme, :activate_init, :activate_confirm, :activate]
+
   def select_scheme
     @user = User.current
   end
@@ -43,6 +47,7 @@ class TwofaController < ApplicationController
 
   def activate_confirm
     @twofa_view = @twofa.init_pairing_view_variables
+    no_store
   end
 
   def activate
@@ -114,4 +119,13 @@ class TwofaController < ApplicationController
       redirect_to my_account_path
     end
   end
+
+  def ensure_user_has_no_twofa
+    # Allow activating a new 2FA scheme / showing twofa secret only if no other
+    # is already configured
+    return true if User.current.twofa_scheme.blank?
+
+    flash[:warning] = l('twofa_already_setup')
+    redirect_to controller: 'my', action: 'account'
+  end
 end