Add multi-factor management to UserEditForm
authorTim Düsterhus <duesterhus@woltlab.com>
Thu, 3 Dec 2020 08:35:52 +0000 (09:35 +0100)
committerTim Düsterhus <duesterhus@woltlab.com>
Thu, 3 Dec 2020 08:45:31 +0000 (09:45 +0100)
wcfsetup/install/files/acp/templates/userAdd.tpl
wcfsetup/install/files/lib/acp/form/UserEditForm.class.php
wcfsetup/install/lang/de.xml
wcfsetup/install/lang/en.xml

index c4ccd73b8486cde3fadce80988997395f931639a..f3c992641003c4c1c5fac295a1a4c187ece315a2 100644 (file)
                                                {event name='passwordFields'}
                                        </section>
                                {/if}
+                               
+                               {if $action == 'edit' && $user->multifactorActive}
+                                       <section class="section">
+                                               <h2 class="sectionTitle">{lang}wcf.acp.user.security.multifactor{/lang}</h2>
+                                               
+                                               <dl>
+                                                       <dt>{lang}wcf.acp.user.security.multifactor{/lang}</dt>
+                                                       <dd>
+                                                               {lang}wcf.acp.user.security.multifactor.active{/lang}
+                                                               <small>{lang}wcf.acp.user.security.multifactor.active.description{/lang}</small>
+                                                       </dd>
+                                               </dl>
+                                               
+                                               <dl>
+                                                       <dt></dt>
+                                                       <dd>
+                                                               <label>
+                                                                       <input type="checkbox" id="multifactorDisable" name="multifactorDisable" value="1"> {lang}wcf.acp.user.security.multifactor.disable{/lang}
+                                                               </label>
+                                                               <small>
+                                                                       {lang}wcf.acp.user.security.multifactor.disable.description{/lang}
+                                                               </small>
+                                                       </dd>
+                                               </dl>
+                                       </section>
+                               {/if}
                        {/if}
                        
                        {if $action == 'edit' && $__wcf->session->getPermission('admin.user.canBanUser') && $__wcf->user->userID != $userID}
index 359537b521616a5499188a73c72ec7ec5693fbe5..f514dc789e3a1cfe8bbf95fe109ef134ca14ca7f 100755 (executable)
@@ -17,6 +17,7 @@ use wcf\system\exception\PermissionDeniedException;
 use wcf\system\exception\UserInputException;
 use wcf\system\moderation\queue\ModerationQueueManager;
 use wcf\system\style\StyleHandler;
+use wcf\system\user\multifactor\Setup;
 use wcf\system\WCF;
 use wcf\util\StringUtil;
 
@@ -135,6 +136,12 @@ class UserEditForm extends UserAddForm {
         */
        public $disconnect3rdParty = 0;
        
+       /**
+        * true to disable multifactor authentication
+        * @var boolean
+        */
+       public $multifactorDisable = 0;
+       
        /**
         * list of available styles for the edited user
         * @var         Style[]
@@ -211,6 +218,9 @@ class UserEditForm extends UserAddForm {
                }
                
                if (WCF::getSession()->getPermission('admin.user.canEditPassword') && isset($_POST['disconnect3rdParty'])) $this->disconnect3rdParty = 1;
+               if (WCF::getSession()->getPermission('admin.user.canEditPassword') && isset($_POST['multifactorDisable'])) {
+                       $this->multifactorDisable = 1;
+               }
        }
        
        /**
@@ -437,6 +447,20 @@ class UserEditForm extends UserAddForm {
                $this->objectAction = new UserAction([$this->userID], 'update', $data);
                $this->objectAction->executeAction();
                
+               // disable multifactor authentication
+               if (WCF::getSession()->getPermission('admin.user.canEditPassword') && $this->multifactorDisable) {
+                       WCF::getDB()->beginTransaction();
+                       $setups = Setup::getAllForUser($this->user->getDecoratedObject());
+                       foreach ($setups as $setup) {
+                               $setup->delete();
+                       }
+               
+                       $this->user->update([
+                               'multifactorActive' => 0,
+                       ]);
+                       WCF::getDB()->commitTransaction();
+               }
+               
                // reload user
                $this->user = new UserEditor(new User($this->userID));
                
index 914150327ee8a6f44ec9f18e4c9af6c00fabff08..e20d8a9d2d7c4142d0d0a512baf692b9219f7f24 100644 (file)
@@ -3226,6 +3226,12 @@ freigeschaltet. {if LANGUAGE_USE_INFORMAL_VARIANT}Du kannst{else}Sie können{/if
                <item name="wcf.acp.user.action.unconfirmEmail"><![CDATA[Bestätigung der E-Mail-Adresse widerrufen]]></item>
                <item name="wcf.acp.user.exportGdpr"><![CDATA[Persönliche Daten exportieren (DSGVO)]]></item>
                <item name="wcf.acp.user.coverPhoto.description"><![CDATA[{if LANGUAGE_USE_INFORMAL_VARIANT}Du kannst{else}Sie können{/if} ein Titelbild im Profil des Benutzers hochladen.]]></item>
+               <item name="wcf.acp.user.security.multifactor"><![CDATA[Mehrfaktor-Authentifizierung]]></item>
+               <item name="wcf.acp.user.security.multifactor.active"><![CDATA[<span class="icon icon16 fa-check green"></span> Aktiv]]></item>
+               <item name="wcf.acp.user.security.multifactor.active.description"><![CDATA[Dieses Benutzerkonto wird durch einen zweiten Faktor geschützt.]]></item>
+               <item name="wcf.acp.user.security.multifactor.disable"><![CDATA[Mehrfaktor-Authentifizierung vollständig deaktivieren]]></item>
+               <item name="wcf.acp.user.security.multifactor.disable.description"><![CDATA[Deaktiviert die Mehrfaktor-Authentifizierung für das Benutzerkonto <strong>{$user->username}</strong> vollständig. Der Benutzer muss die Mehrfaktor-Authentifizierung anschließend erneut einrichten.<br>\r
+<strong>Achtung:</strong> Die Mehrfaktor-Authentifizierung wird von Benutzern aktiv eingerichtet, um das eigene Benutzerkonto besser zu schützen. {if LANGUAGE_USE_INFORMAL_VARIANT}Stelle sicher, dass du den Benutzer ausreichend authentifizierst, bevor du die Mehrfaktor-Authentifizierung deaktivierst.{else}Stellen Sie sicher, dass Sie den Benutzer ausreichend authentifizieren, bevor Sie die Mehrfaktor-Authentifizierung deaktivieren.{/if}]]></item>
        </category>
        <category name="wcf.acp.worker">
                <item name="wcf.acp.worker.abort.confirmMessage"><![CDATA[{if LANGUAGE_USE_INFORMAL_VARIANT}Willst du{else}Wollen Sie{/if} die Ausführung wirklich abbrechen?]]></item>
index bb9fda89aa1f3a3a03a8fa51a996a1aa33dfa0c3..de6d6eb60482c961468a4ab53fe42d24040ab8d9 100644 (file)
@@ -3150,6 +3150,12 @@ Your account on the website: {@PAGE_TITLE|language} [URL:{link isEmail=true}{/li
                <item name="wcf.acp.user.action.unconfirmEmail"><![CDATA[Unconfirm Email Address]]></item>
                <item name="wcf.acp.user.exportGdpr"><![CDATA[Export Personal Data (GDPR)]]></item>
                <item name="wcf.acp.user.coverPhoto.description"><![CDATA[You can upload a cover photo on their user profile page.]]></item>
+               <item name="wcf.acp.user.security.multifactor"><![CDATA[Multi-factor authentication]]></item>
+               <item name="wcf.acp.user.security.multifactor.active"><![CDATA[<span class="icon icon16 fa-check green"></span> Active]]></item>
+               <item name="wcf.acp.user.security.multifactor.active.description"><![CDATA[This user account is protected by a second factor.]]></item>
+               <item name="wcf.acp.user.security.multifactor.disable"><![CDATA[Completely Disable Multi-factor Authentication]]></item>
+               <item name="wcf.acp.user.security.multifactor.disable.description"><![CDATA[Completely disables multi-factor authentication for the account <strong>{$user->username}</strong>. The user will need to setup up multi-factor authentication from scratch if this checkbox is checked.<br>\r
+<strong>Heads up:</strong> Multi-factor authentication is actively set up by users to better protect their accounts. Please make sure to properly authenticate the user before disabling multi-factor authentication for their account.]]></item>
        </category>
        <category name="wcf.acp.worker">
                <item name="wcf.acp.worker.abort.confirmMessage"><![CDATA[Do you really want to terminate the execution?]]></item>