Allow certain users to override 2FA with permission

2025-03-05 20:52:15 -08:00 · 2016-10-31 16:52:25 -07:00 · 2016-10-31 16:52:25 -07:00 · cbfcf959f9
parent e065d18227
commit cbfcf959f9
9 changed files with 63 additions and 10 deletions
--- a/app/Http/Controllers/ProfileController.php
+++ b/app/Http/Controllers/ProfileController.php
@ -9,6 +9,7 @@ use View;
 use Auth;
 use App\Helpers\Helper;
 use App\Models\Setting;
+use Gate;

 /**
 * This controller handles all actions related to User Profiles for
@ -54,7 +55,8 @@ class ProfileController extends Controller
        $user->gravatar   = e(Input::get('gravatar'));
        $user->locale = e(Input::get('locale'));

-        if ((Setting::getSettings()->two_factor_enabled=='1') && (!config('app.lock_passwords'))) {
+
+        if ((Gate::allows('self.two_factor')) && ((Setting::getSettings()->two_factor_enabled=='1') && (!config('app.lock_passwords')))) {
            $user->two_factor_optin = e(Input::get('two_factor_optin', '0'));
        }
        
--- a/app/Http/Controllers/UsersController.php
+++ b/app/Http/Controllers/UsersController.php
@ -334,6 +334,7 @@ class UsersController extends Controller
       // Update the user
        $user->first_name = e($request->input('first_name'));
        $user->last_name = e($request->input('last_name'));
+        $user->two_factor_optin = e($request->input('two_factor_optin'));
        $user->locale = e($request->input('locale'));
        $user->employee_num = e($request->input('employee_num'));
        $user->activated = e($request->input('activated', $user->activated));
@ -1385,4 +1386,6 @@ class UsersController extends Controller
        }

    }
+
+
 }
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@ -328,5 +328,15 @@ class AuthServiceProvider extends ServiceProvider
        });


+        # -----------------------------------------
+        # Self
+        # -----------------------------------------
+        $gate->define('self.two_factor', function ($user) {
+            if (($user->hasAccess('self.two_factor')) || ($user->hasAccess('admin'))) {
+                return true;
+            }
+        });
+
+
    }
 }
--- a/config/permissions.php
+++ b/config/permissions.php
@ -279,6 +279,16 @@ return array(

    ),

+    'Self' => array(
+        array(
+            'permission' => 'self.two_factor',
+            'label'      => 'Two-Factor Authentication',
+            'note'       => 'The user may disable/enable two-factor authentication themselves if two-factor is enabled and set to selective.',
+            'display'    => true,
+        ),
+
+    ),
+



--- a/resources/lang/en/admin/settings/general.php
+++ b/resources/lang/en/admin/settings/general.php
@ -114,11 +114,12 @@ return array(
    'two_factor_reset_error'          => 'Two factor device reset failed',
    'two_factor_enabled_warning'        => 'Enabling two-factor if it is not currently enabled will immediately force you to authenticate with a Google Auth enrolled device. You will have the ability to enroll your device if one is not currently enrolled.',
    'two_factor_enabled_help'        => 'This will turn on two-factor authentication using Google Authenticator.',
-    'two_factor_optional'        => 'Optional (Users can enable or disable)',
+    'two_factor_optional'        => 'Selective (Users can enable or disable if permitted)',
    'two_factor_required'        => 'Required for all users',
    'two_factor_disabled'        => 'Disabled',
    'two_factor_enter_code'	=> 'Enter Two-Factor Code',
    'two_factor_config_complete'	=> 'Submit Code',
+    'two_factor_enabled_edit_not_allowed' => 'Your administrator does not permit you to edit this setting.',
    'two_factor_enrollment_text'	=> "Two factor authentication is required, however your device has not been enrolled yet. Open your Google Authenticator app and scan the QR code below to enroll your device. Once you've enrolled your device, enter the code below",
    'left'        => 'left',
    'right'        => 'right',
--- a/resources/lang/en/admin/users/general.php
+++ b/resources/lang/en/admin/users/general.php
@ -15,4 +15,5 @@ return array(
    'software_user'     => 'Software Checked out to :name',
    'view_user'         => 'View User :name',
    'usercsv'           => 'CSV file',
+    'two_factor_admin_optin_help' => 'Your current admin settings allow selective enforcement of two-factor authentication.  ',
    );
--- a/resources/macros/macros.php
+++ b/resources/macros/macros.php
@ -483,7 +483,7 @@ Form::macro('two_factor_options', function ($name = "two_factor_enabled", $selec

    );

-    $select = '<select name="'.$name.'" class="'.$class.'" style="width: 400px">';
+    $select = '<select name="'.$name.'" class="'.$class.'" style="width: 500px">';
    foreach ($formats as $format => $label) {
        $select .= '<option value="'.$format.'"'.($selected == $format ? ' selected="selected"' : '').'>'.$label.'</option> '."\n";
    }
--- a/resources/views/account/profile.blade.php
+++ b/resources/views/account/profile.blade.php
@ -104,19 +104,29 @@

      <!-- Two factor opt in -->
         @if (\App\Models\Setting::getSettings()->two_factor_enabled=='1')
+
            <div class="form-group {{ $errors->has('avatar') ? 'has-error' : '' }}">

                <div class="col-md-7 col-md-offset-3">

-                    <label for="avatar">{{ Form::checkbox('two_factor_optin', '1', Input::old('two_factor_optin', $user->two_factor_optin),array('class' => 'minimal')) }}
+                    @can('self.two_factor')
+                        <label for="avatar">{{ Form::checkbox('two_factor_optin', '1', Input::old('two_factor_optin', $user->two_factor_optin),array('class' => 'minimal')) }}
+                        @else
+                            <label for="avatar">{{ Form::checkbox('two_factor_optin', '1', Input::old('two_factor_optin', $user->two_factor_optin),['class' => 'disabled minimal', 'disabled' => 'disabled']) }}
+                        @endcan

                     {{ trans('admin/settings/general.two_factor_enabled_text') }}</label>
-                    <p class="help-block">{{ trans('admin/settings/general.two_factor_enabled_warning') }}</p>
+                    @can('self.two_factor')
+                        <p class="help-block">{{ trans('admin/settings/general.two_factor_enabled_warning') }}</p>
+                     @else
+                       <p class="help-block">{{ trans('admin/settings/general.two_factor_enabled_edit_not_allowed') }}</p>
+                     @endcan
                    @if (config('app.lock_passwords'))
                        <p class="help-block">{{ trans('general.feature_disabled') }}</p>
                    @endif
                </div>
            </div>
+
         @endif


--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@ -320,7 +320,23 @@

            @if (\App\Models\Setting::getSettings()->two_factor_enabled!='')

-                <!-- Notes -->
+                @if (\App\Models\Setting::getSettings()->two_factor_enabled=='1')
+                <div class="form-group">
+                    <div class="col-md-3 control-label">
+                        {{ Form::label('two_factor_optin', trans('admin/settings/general.two_factor')) }}
+                    </div>
+                    <div class="col-md-9">
+                        {{ Form::checkbox('two_factor_optin', '1', Input::old('two_factor_optin', $user->two_factor_optin),array('class' => 'minimal')) }}
+                        {{ trans('admin/settings/general.two_factor_enabled_text') }}
+
+                        <p class="help-block">{{ trans('admin/users/general.two_factor_admin_optin_help') }}</p>
+                    </div>
+                </div>
+                @endif
+
+
+
+                <!-- Reset Two Factor -->
                    <div class="form-group">
                        <div class="col-md-8 col-md-offset-3 two_factor_resetrow">
                            <a class="btn btn-default btn-sm pull-left" id="two_factor_reset" style="margin-right: 10px;"> {{ trans('admin/settings/general.two_factor_reset') }}</a>
@ -405,7 +421,7 @@
        <table class="table table-striped permissions">
          <thead>
            <tr class="permissions-row">
-              <th class="col-md-2"><span class="line"></span>Permission</th>
+              <th class="col-md-5"><span class="line"></span>Permission</th>
              <th class="col-md-1"><span class="line"></span>Grant</th>
              <th class="col-md-1"><span class="line"></span>Deny</th>
              <th class="col-md-1"><span class="line"></span>Inherit</th>
@ -416,7 +432,7 @@
              <tbody class="permissions-group">
              <?php $localPermission = $permissionsArray[0] ?>
                <tr class="header-row permissions-row">
-                  <td class="col-md-2 tooltip-base permissions-item"
+                  <td class="col-md-5 tooltip-base permissions-item"
                    data-toggle="tooltip"
                    data-placement="right"
                    title="{{ $localPermission['note'] }}"
@ -439,7 +455,7 @@
            @else
              <tbody class="permissions-group">
              <tr class="header-row permissions-row">
-                <td class="col-md-2 header-name">
+                <td class="col-md-5 header-name">
                  <h3>{{ $area }}</h3>
                </td>
                <td class="col-md-1 permissions-item">
@ -456,7 +472,7 @@
              <tr class="permissions-row">
                @if ($permission['display'])
                  <td
-                    class="col-md-2 tooltip-base permissions-item"
+                    class="col-md-5 tooltip-base permissions-item"
                    data-toggle="tooltip"
                    data-placement="right"
                    title="{{ $permission['note'] }}"