FEATURE: allow disable local logins when 2fa enforced for staff

Admin should be able to disable local logins even when 2FA is enabled for staff users.
2025-04-17 09:09:05 +08:00 · 2024-11-25 10:57:15 +11:00 · 2024-11-25 10:57:15 +11:00 · 64ffa60514
commit 64ffa60514
parent 1396dfabba
2 changed files with 14 additions and 0 deletions
--- a/lib/site_settings/validations.rb
+++ b/lib/site_settings/validations.rb
@ -221,12 +221,14 @@ module SiteSettings::Validations
    end
    return if SiteSetting.enable_local_logins
    return if new_val == "no"
+    return if new_val == "staff"
    validate_error :second_factor_cannot_be_enforced_with_disabled_local_login
  end

  def validate_enable_local_logins(new_val)
    return if new_val == "t"
    return if SiteSetting.enforce_second_factor == "no"
+    return if SiteSetting.enforce_second_factor == "staff"
    validate_error :local_login_cannot_be_disabled_if_second_factor_enforced
  end

--- a/spec/lib/site_settings/validations_spec.rb
+++ b/spec/lib/site_settings/validations_spec.rb
@ -149,6 +149,10 @@ RSpec.describe SiteSettings::Validations do
            error_message,
          )
        end
+
+        it "should be ok when the new value is 'staff'" do
+          expect { validations.validate_enforce_second_factor("staff") }.not_to raise_error
+        end
      end

      context "when local logins are enabled" do
@ -203,6 +207,14 @@ RSpec.describe SiteSettings::Validations do
            expect { validations.validate_enable_local_logins("f") }.not_to raise_error
          end
        end
+
+        context "when enforce second factor is staff" do
+          before { SiteSetting.enforce_second_factor = "staff" }
+
+          it "should be ok" do
+            expect { validations.validate_enable_local_logins("f") }.not_to raise_error
+          end
+        end
      end

      context "when the new value is true" do