diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 2b68faed6d9..4632f8e3af4 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -204,6 +204,8 @@ en:
enable_s3_uploads_is_required: "You cannot enable inventory to S3 unless you've enabled the S3 uploads."
s3_backup_requires_s3_settings: "You cannot use S3 as backup location unless you've provided the '%{setting_name}'."
s3_bucket_reused: "You cannot use the same bucket for 's3_upload_bucket' and 's3_backup_bucket'. Choose a different bucket or use a different path for each bucket."
+ second_factor_cannot_be_enforced_with_disabled_local_login: "You cannot enforce 2FA if local logins are disabled."
+ local_login_cannot_be_disabled_if_second_factor_enforced: "You cannot disable local login if 2FA is enforced. Disable enforced 2FA before disabling local logins."
conflicting_google_user_id: 'The Google Account ID for this account has changed; staff intervention is required for security reasons. Please contact staff and point them to
https://meta.discourse.org/t/76575'
activemodel:
diff --git a/lib/site_settings/validations.rb b/lib/site_settings/validations.rb
index be622022c7b..3b2708f2b8b 100644
--- a/lib/site_settings/validations.rb
+++ b/lib/site_settings/validations.rb
@@ -143,6 +143,17 @@ module SiteSettings::Validations
validate_bucket_setting("s3_backup_bucket", SiteSetting.s3_upload_bucket, new_val)
end
+ def validate_enforce_second_factor(new_val)
+ return if SiteSetting.enable_local_logins
+ validate_error :second_factor_cannot_be_enforced_with_disabled_local_login
+ end
+
+ def validate_enable_local_logins(new_val)
+ return if new_val == "t"
+ return if SiteSetting.enforce_second_factor == "no"
+ validate_error :local_login_cannot_be_disabled_if_second_factor_enforced
+ end
+
private
def validate_bucket_setting(setting_name, upload_bucket, backup_bucket)
diff --git a/spec/lib/site_settings/validations_spec.rb b/spec/lib/site_settings/validations_spec.rb
index c58a270cdc7..6660872806d 100644
--- a/spec/lib/site_settings/validations_spec.rb
+++ b/spec/lib/site_settings/validations_spec.rb
@@ -105,4 +105,61 @@ describe SiteSettings::Validations do
end
end
end
+
+ describe "enforce second factor & local login interplay" do
+ describe "#validate_enforce_second_factor" do
+ let(:error_message) { I18n.t("errors.site_settings.second_factor_cannot_be_enforced_with_disabled_local_login") }
+ context "when local logins are disabled" do
+ before do
+ SiteSetting.enable_local_logins = false
+ end
+
+ it "should raise an error" do
+ expect { subject.validate_enforce_second_factor("t") }.to raise_error(Discourse::InvalidParameters, error_message)
+ end
+ end
+
+ context "when local logins are enabled" do
+ before do
+ SiteSetting.enable_local_logins = true
+ end
+
+ it "should be ok" do
+ expect { subject.validate_enforce_second_factor("t") }.not_to raise_error(Discourse::InvalidParameters, error_message)
+ end
+ end
+ end
+
+ describe "#validate_enable_local_logins" do
+ let(:error_message) { I18n.t("errors.site_settings.local_login_cannot_be_disabled_if_second_factor_enforced") }
+
+ context "when the new value is false" do
+ context "when enforce second factor is enabled" do
+ before do
+ SiteSetting.enforce_second_factor = "all"
+ end
+
+ it "should raise an error" do
+ expect { subject.validate_enable_local_logins("f") }.to raise_error(Discourse::InvalidParameters, error_message)
+ end
+ end
+
+ context "when enforce second factor is disabled" do
+ before do
+ SiteSetting.enforce_second_factor = "no"
+ end
+
+ it "should be ok" do
+ expect { subject.validate_enable_local_logins("f") }.not_to raise_error(Discourse::InvalidParameters, error_message)
+ end
+ end
+ end
+
+ context "when the new value is true" do
+ it "should be ok" do
+ expect { subject.validate_enable_local_logins("t") }.not_to raise_error(Discourse::InvalidParameters, error_message)
+ end
+ end
+ end
+ end
end