From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Thu, 3 Dec 2020 08:35:52 +0000 (+0100)
Subject: Add multi-factor management to UserEditForm
X-Git-Tag: 5.4.0_Alpha_1~555^2~8^2~1
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=3fcadd19dfd1cc0e9ee5ad867c2904319177a079;p=GitHub%2FWoltLab%2FWCF.git

Add multi-factor management to UserEditForm
---

diff --git a/wcfsetup/install/files/acp/templates/userAdd.tpl b/wcfsetup/install/files/acp/templates/userAdd.tpl
index c4ccd73b84..f3c9926410 100644
--- a/wcfsetup/install/files/acp/templates/userAdd.tpl
+++ b/wcfsetup/install/files/acp/templates/userAdd.tpl
@@ -183,6 +183,32 @@
 						{event name='passwordFields'}
 					</section>
 				{/if}
+				
+				{if $action == 'edit' && $user->multifactorActive}
+					<section class="section">
+						<h2 class="sectionTitle">{lang}wcf.acp.user.security.multifactor{/lang}</h2>
+						
+						<dl>
+							<dt>{lang}wcf.acp.user.security.multifactor{/lang}</dt>
+							<dd>
+								{lang}wcf.acp.user.security.multifactor.active{/lang}
+								<small>{lang}wcf.acp.user.security.multifactor.active.description{/lang}</small>
+							</dd>
+						</dl>
+						
+						<dl>
+							<dt></dt>
+							<dd>
+								<label>
+									<input type="checkbox" id="multifactorDisable" name="multifactorDisable" value="1"> {lang}wcf.acp.user.security.multifactor.disable{/lang}
+								</label>
+								<small>
+									{lang}wcf.acp.user.security.multifactor.disable.description{/lang}
+								</small>
+							</dd>
+						</dl>
+					</section>
+				{/if}
 			{/if}
 			
 			{if $action == 'edit' && $__wcf->session->getPermission('admin.user.canBanUser') && $__wcf->user->userID != $userID}
diff --git a/wcfsetup/install/files/lib/acp/form/UserEditForm.class.php b/wcfsetup/install/files/lib/acp/form/UserEditForm.class.php
index 359537b521..f514dc789e 100755
--- a/wcfsetup/install/files/lib/acp/form/UserEditForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/UserEditForm.class.php
@@ -17,6 +17,7 @@ use wcf\system\exception\PermissionDeniedException;
 use wcf\system\exception\UserInputException;
 use wcf\system\moderation\queue\ModerationQueueManager;
 use wcf\system\style\StyleHandler;
+use wcf\system\user\multifactor\Setup;
 use wcf\system\WCF;
 use wcf\util\StringUtil;
 
@@ -135,6 +136,12 @@ class UserEditForm extends UserAddForm {
 	 */
 	public $disconnect3rdParty = 0;
 	
+	/**
+	 * true to disable multifactor authentication
+	 * @var boolean
+	 */
+	public $multifactorDisable = 0;
+	
 	/**
 	 * list of available styles for the edited user
 	 * @var         Style[]
@@ -211,6 +218,9 @@ class UserEditForm extends UserAddForm {
 		}
 		
 		if (WCF::getSession()->getPermission('admin.user.canEditPassword') && isset($_POST['disconnect3rdParty'])) $this->disconnect3rdParty = 1;
+		if (WCF::getSession()->getPermission('admin.user.canEditPassword') && isset($_POST['multifactorDisable'])) {
+			$this->multifactorDisable = 1;
+		}
 	}
 	
 	/**
@@ -437,6 +447,20 @@ class UserEditForm extends UserAddForm {
 		$this->objectAction = new UserAction([$this->userID], 'update', $data);
 		$this->objectAction->executeAction();
 		
+		// disable multifactor authentication
+		if (WCF::getSession()->getPermission('admin.user.canEditPassword') && $this->multifactorDisable) {
+			WCF::getDB()->beginTransaction();
+			$setups = Setup::getAllForUser($this->user->getDecoratedObject());
+			foreach ($setups as $setup) {
+				$setup->delete();
+			}
+		
+			$this->user->update([
+				'multifactorActive' => 0,
+			]);
+			WCF::getDB()->commitTransaction();
+		}
+		
 		// reload user
 		$this->user = new UserEditor(new User($this->userID));
 		
diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml
index 914150327e..e20d8a9d2d 100644
--- a/wcfsetup/install/lang/de.xml
+++ b/wcfsetup/install/lang/de.xml
@@ -3226,6 +3226,12 @@ freigeschaltet. {if LANGUAGE_USE_INFORMAL_VARIANT}Du kannst{else}Sie kÃ¶nnen{/if
 		<item name="wcf.acp.user.action.unconfirmEmail"><![CDATA[BestÃ¤tigung der E-Mail-Adresse widerrufen]]></item>
 		<item name="wcf.acp.user.exportGdpr"><![CDATA[PersÃ¶nliche Daten exportieren (DSGVO)]]></item>
 		<item name="wcf.acp.user.coverPhoto.description"><![CDATA[{if LANGUAGE_USE_INFORMAL_VARIANT}Du kannst{else}Sie kÃ¶nnen{/if} ein Titelbild im Profil des Benutzers hochladen.]]></item>
+		<item name="wcf.acp.user.security.multifactor"><![CDATA[Mehrfaktor-Authentifizierung]]></item>
+		<item name="wcf.acp.user.security.multifactor.active"><![CDATA[<span class="icon icon16 fa-check green"></span> Aktiv]]></item>
+		<item name="wcf.acp.user.security.multifactor.active.description"><![CDATA[Dieses Benutzerkonto wird durch einen zweiten Faktor geschÃ¼tzt.]]></item>
+		<item name="wcf.acp.user.security.multifactor.disable"><![CDATA[Mehrfaktor-Authentifizierung vollstÃ¤ndig deaktivieren]]></item>
+		<item name="wcf.acp.user.security.multifactor.disable.description"><![CDATA[Deaktiviert die Mehrfaktor-Authentifizierung fÃ¼r das Benutzerkonto <strong>{$user->username}</strong> vollstÃ¤ndig. Der Benutzer muss die Mehrfaktor-Authentifizierung anschlieÃend erneut einrichten.<br>
+<strong>Achtung:</strong> Die Mehrfaktor-Authentifizierung wird von Benutzern aktiv eingerichtet, um das eigene Benutzerkonto besser zu schÃ¼tzen. {if LANGUAGE_USE_INFORMAL_VARIANT}Stelle sicher, dass du den Benutzer ausreichend authentifizierst, bevor du die Mehrfaktor-Authentifizierung deaktivierst.{else}Stellen Sie sicher, dass Sie den Benutzer ausreichend authentifizieren, bevor Sie die Mehrfaktor-Authentifizierung deaktivieren.{/if}]]></item>
 	</category>
 	<category name="wcf.acp.worker">
 		<item name="wcf.acp.worker.abort.confirmMessage"><![CDATA[{if LANGUAGE_USE_INFORMAL_VARIANT}Willst du{else}Wollen Sie{/if} die AusfÃ¼hrung wirklich abbrechen?]]></item>
diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml
index bb9fda89aa..de6d6eb604 100644
--- a/wcfsetup/install/lang/en.xml
+++ b/wcfsetup/install/lang/en.xml
@@ -3150,6 +3150,12 @@ Your account on the website: {@PAGE_TITLE|language} [URL:{link isEmail=true}{/li
 		<item name="wcf.acp.user.action.unconfirmEmail"><![CDATA[Unconfirm Email Address]]></item>
 		<item name="wcf.acp.user.exportGdpr"><![CDATA[Export Personal Data (GDPR)]]></item>
 		<item name="wcf.acp.user.coverPhoto.description"><![CDATA[You can upload a cover photo on their user profile page.]]></item>
+		<item name="wcf.acp.user.security.multifactor"><![CDATA[Multi-factor authentication]]></item>
+		<item name="wcf.acp.user.security.multifactor.active"><![CDATA[<span class="icon icon16 fa-check green"></span> Active]]></item>
+		<item name="wcf.acp.user.security.multifactor.active.description"><![CDATA[This user account is protected by a second factor.]]></item>
+		<item name="wcf.acp.user.security.multifactor.disable"><![CDATA[Completely Disable Multi-factor Authentication]]></item>
+		<item name="wcf.acp.user.security.multifactor.disable.description"><![CDATA[Completely disables multi-factor authentication for the account <strong>{$user->username}</strong>. The user will need to setup up multi-factor authentication from scratch if this checkbox is checked.<br>
+<strong>Heads up:</strong> Multi-factor authentication is actively set up by users to better protect their accounts. Please make sure to properly authenticate the user before disabling multi-factor authentication for their account.]]></item>
 	</category>
 	<category name="wcf.acp.worker">
 		<item name="wcf.acp.worker.abort.confirmMessage"><![CDATA[Do you really want to terminate the execution?]]></item>
