From cbfcf959f94148bcc05f7e672ce3c6315cabc084 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Mon, 31 Oct 2016 16:52:25 -0700
Subject: [PATCH] Allow certain users to override 2FA with permission

---
 app/Http/Controllers/ProfileController.php   |  4 ++-
 app/Http/Controllers/UsersController.php     |  3 +++
 app/Providers/AuthServiceProvider.php        | 10 ++++++++
 config/permissions.php                       | 10 ++++++++
 resources/lang/en/admin/settings/general.php |  3 ++-
 resources/lang/en/admin/users/general.php    |  1 +
 resources/macros/macros.php                  |  2 +-
 resources/views/account/profile.blade.php    | 14 +++++++++--
 resources/views/users/edit.blade.php         | 26 ++++++++++++++++----
 9 files changed, 63 insertions(+), 10 deletions(-)

diff --git a/app/Http/Controllers/ProfileController.php b/app/Http/Controllers/ProfileController.php
index a08e22d0ce..b94f336879 100755
--- a/app/Http/Controllers/ProfileController.php
+++ b/app/Http/Controllers/ProfileController.php
@@ -9,6 +9,7 @@ use View;
 use Auth;
 use App\Helpers\Helper;
 use App\Models\Setting;
+use Gate;
 
 /**
  * This controller handles all actions related to User Profiles for
@@ -54,7 +55,8 @@ class ProfileController extends Controller
         $user->gravatar   = e(Input::get('gravatar'));
         $user->locale = e(Input::get('locale'));
 
-        if ((Setting::getSettings()->two_factor_enabled=='1') && (!config('app.lock_passwords'))) {
+
+        if ((Gate::allows('self.two_factor')) && ((Setting::getSettings()->two_factor_enabled=='1') && (!config('app.lock_passwords')))) {
             $user->two_factor_optin = e(Input::get('two_factor_optin', '0'));
         }
         
diff --git a/app/Http/Controllers/UsersController.php b/app/Http/Controllers/UsersController.php
index ef23e7fc90..6226b1ba94 100755
--- a/app/Http/Controllers/UsersController.php
+++ b/app/Http/Controllers/UsersController.php
@@ -334,6 +334,7 @@ class UsersController extends Controller
        // Update the user
         $user->first_name = e($request->input('first_name'));
         $user->last_name = e($request->input('last_name'));
+        $user->two_factor_optin = e($request->input('two_factor_optin'));
         $user->locale = e($request->input('locale'));
         $user->employee_num = e($request->input('employee_num'));
         $user->activated = e($request->input('activated', $user->activated));
@@ -1385,4 +1386,6 @@ class UsersController extends Controller
         }
 
     }
+
+
 }
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 87ea4f74eb..c4945442dc 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -328,5 +328,15 @@ class AuthServiceProvider extends ServiceProvider
         });
 
 
+        # -----------------------------------------
+        # Self
+        # -----------------------------------------
+        $gate->define('self.two_factor', function ($user) {
+            if (($user->hasAccess('self.two_factor')) || ($user->hasAccess('admin'))) {
+                return true;
+            }
+        });
+
+
     }
 }
diff --git a/config/permissions.php b/config/permissions.php
index 760b8bb643..22f5c8222c 100644
--- a/config/permissions.php
+++ b/config/permissions.php
@@ -279,6 +279,16 @@ return array(
 
     ),
 
+    'Self' => array(
+        array(
+            'permission' => 'self.two_factor',
+            'label'      => 'Two-Factor Authentication',
+            'note'       => 'The user may disable/enable two-factor authentication themselves if two-factor is enabled and set to selective.',
+            'display'    => true,
+        ),
+
+    ),
+
 
 
 
diff --git a/resources/lang/en/admin/settings/general.php b/resources/lang/en/admin/settings/general.php
index fa88f72686..1d7117af19 100644
--- a/resources/lang/en/admin/settings/general.php
+++ b/resources/lang/en/admin/settings/general.php
@@ -114,11 +114,12 @@ return array(
     'two_factor_reset_error'          => 'Two factor device reset failed',
     'two_factor_enabled_warning'        => 'Enabling two-factor if it is not currently enabled will immediately force you to authenticate with a Google Auth enrolled device. You will have the ability to enroll your device if one is not currently enrolled.',
     'two_factor_enabled_help'        => 'This will turn on two-factor authentication using Google Authenticator.',
-    'two_factor_optional'        => 'Optional (Users can enable or disable)',
+    'two_factor_optional'        => 'Selective (Users can enable or disable if permitted)',
     'two_factor_required'        => 'Required for all users',
     'two_factor_disabled'        => 'Disabled',
     'two_factor_enter_code'	=> 'Enter Two-Factor Code',
     'two_factor_config_complete'	=> 'Submit Code',
+    'two_factor_enabled_edit_not_allowed' => 'Your administrator does not permit you to edit this setting.',
     'two_factor_enrollment_text'	=> "Two factor authentication is required, however your device has not been enrolled yet. Open your Google Authenticator app and scan the QR code below to enroll your device. Once you've enrolled your device, enter the code below",
     'left'        => 'left',
     'right'        => 'right',
diff --git a/resources/lang/en/admin/users/general.php b/resources/lang/en/admin/users/general.php
index b6acbce0d7..8763a4a777 100644
--- a/resources/lang/en/admin/users/general.php
+++ b/resources/lang/en/admin/users/general.php
@@ -15,4 +15,5 @@ return array(
     'software_user'     => 'Software Checked out to :name',
     'view_user'         => 'View User :name',
     'usercsv'           => 'CSV file',
+    'two_factor_admin_optin_help' => 'Your current admin settings allow selective enforcement of two-factor authentication.  ',
     );
diff --git a/resources/macros/macros.php b/resources/macros/macros.php
index 26db2dad94..7bec721d56 100644
--- a/resources/macros/macros.php
+++ b/resources/macros/macros.php
@@ -483,7 +483,7 @@ Form::macro('two_factor_options', function ($name = "two_factor_enabled", $selec
 
     );
 
-    $select = '<select name="'.$name.'" class="'.$class.'" style="width: 400px">';
+    $select = '<select name="'.$name.'" class="'.$class.'" style="width: 500px">';
     foreach ($formats as $format => $label) {
         $select .= '<option value="'.$format.'"'.($selected == $format ? ' selected="selected"' : '').'>'.$label.'</option> '."\n";
     }
diff --git a/resources/views/account/profile.blade.php b/resources/views/account/profile.blade.php
index 79753e0007..06e66b3d3b 100755
--- a/resources/views/account/profile.blade.php
+++ b/resources/views/account/profile.blade.php
@@ -104,19 +104,29 @@
 
       <!-- Two factor opt in -->
          @if (\App\Models\Setting::getSettings()->two_factor_enabled=='1')
+
             <div class="form-group {{ $errors->has('avatar') ? 'has-error' : '' }}">
 
                 <div class="col-md-7 col-md-offset-3">
 
-                    <label for="avatar">{{ Form::checkbox('two_factor_optin', '1', Input::old('two_factor_optin', $user->two_factor_optin),array('class' => 'minimal')) }}
+                    @can('self.two_factor')
+                        <label for="avatar">{{ Form::checkbox('two_factor_optin', '1', Input::old('two_factor_optin', $user->two_factor_optin),array('class' => 'minimal')) }}
+                        @else
+                            <label for="avatar">{{ Form::checkbox('two_factor_optin', '1', Input::old('two_factor_optin', $user->two_factor_optin),['class' => 'disabled minimal', 'disabled' => 'disabled']) }}
+                        @endcan
 
                      {{ trans('admin/settings/general.two_factor_enabled_text') }}</label>
-                    <p class="help-block">{{ trans('admin/settings/general.two_factor_enabled_warning') }}</p>
+                    @can('self.two_factor')
+                        <p class="help-block">{{ trans('admin/settings/general.two_factor_enabled_warning') }}</p>
+                     @else
+                       <p class="help-block">{{ trans('admin/settings/general.two_factor_enabled_edit_not_allowed') }}</p>
+                     @endcan
                     @if (config('app.lock_passwords'))
                         <p class="help-block">{{ trans('general.feature_disabled') }}</p>
                     @endif
                 </div>
             </div>
+
          @endif
 
 
diff --git a/resources/views/users/edit.blade.php b/resources/views/users/edit.blade.php
index 3962c3fcba..729790b518 100755
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@@ -320,7 +320,23 @@
 
             @if (\App\Models\Setting::getSettings()->two_factor_enabled!='')
 
-                <!-- Notes -->
+                @if (\App\Models\Setting::getSettings()->two_factor_enabled=='1')
+                <div class="form-group">
+                    <div class="col-md-3 control-label">
+                        {{ Form::label('two_factor_optin', trans('admin/settings/general.two_factor')) }}
+                    </div>
+                    <div class="col-md-9">
+                        {{ Form::checkbox('two_factor_optin', '1', Input::old('two_factor_optin', $user->two_factor_optin),array('class' => 'minimal')) }}
+                        {{ trans('admin/settings/general.two_factor_enabled_text') }}
+
+                        <p class="help-block">{{ trans('admin/users/general.two_factor_admin_optin_help') }}</p>
+                    </div>
+                </div>
+                @endif
+
+
+
+                <!-- Reset Two Factor -->
                     <div class="form-group">
                         <div class="col-md-8 col-md-offset-3 two_factor_resetrow">
                             <a class="btn btn-default btn-sm pull-left" id="two_factor_reset" style="margin-right: 10px;"> {{ trans('admin/settings/general.two_factor_reset') }}</a>
@@ -405,7 +421,7 @@
         <table class="table table-striped permissions">
           <thead>
             <tr class="permissions-row">
-              <th class="col-md-2"><span class="line"></span>Permission</th>
+              <th class="col-md-5"><span class="line"></span>Permission</th>
               <th class="col-md-1"><span class="line"></span>Grant</th>
               <th class="col-md-1"><span class="line"></span>Deny</th>
               <th class="col-md-1"><span class="line"></span>Inherit</th>
@@ -416,7 +432,7 @@
               <tbody class="permissions-group">
               <?php $localPermission = $permissionsArray[0] ?>
                 <tr class="header-row permissions-row">
-                  <td class="col-md-2 tooltip-base permissions-item"
+                  <td class="col-md-5 tooltip-base permissions-item"
                     data-toggle="tooltip"
                     data-placement="right"
                     title="{{ $localPermission['note'] }}"
@@ -439,7 +455,7 @@
             @else
               <tbody class="permissions-group">
               <tr class="header-row permissions-row">
-                <td class="col-md-2 header-name">
+                <td class="col-md-5 header-name">
                   <h3>{{ $area }}</h3>
                 </td>
                 <td class="col-md-1 permissions-item">
@@ -456,7 +472,7 @@
               <tr class="permissions-row">
                 @if ($permission['display'])
                   <td
-                    class="col-md-2 tooltip-base permissions-item"
+                    class="col-md-5 tooltip-base permissions-item"
                     data-toggle="tooltip"
                     data-placement="right"
                     title="{{ $permission['note'] }}"