From fd5a80d4b333d7d9af3726d74c1b7646d69df4c6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Fri, 13 Nov 2020 15:40:02 +0100
Subject: [PATCH] Disallow management of backup codes if they are not set up

---
 com.woltlab.wcf/templates/accountSecurity.tpl | 50 ++++++++++---------
 .../lib/form/MultifactorManageForm.class.php  |  6 +++
 2 files changed, 32 insertions(+), 24 deletions(-)
diff --git a/com.woltlab.wcf/templates/accountSecurity.tpl b/com.woltlab.wcf/templates/accountSecurity.tpl
index 810b2556ae..e176940f3b 100644
--- a/com.woltlab.wcf/templates/accountSecurity.tpl
+++ b/com.woltlab.wcf/templates/accountSecurity.tpl
@@ -7,35 +7,37 @@
 	
 	<ul class="containerList">
 		{foreach from=$multifactorMethods item=method}
-			<li class="box64">
-				<div>
-					<span class="icon icon64 fa-{if $method->icon}{$method->icon}{else}lock{/if}"></span>
-				</div>
-				
-				<div class="accountSecurityContainer">
-					<div class="containerHeadline accountSecurityInformation">
-						<h3>
-							{lang}wcf.user.security.multifactor.{$method->objectType}{/lang}
+			{if $method->objectType !== 'com.woltlab.wcf.multifactor.backup' || $enabledMultifactorMethods[$method->objectTypeID]|isset}
+				<li class="box64">
+					<div>
+						<span class="icon icon64 fa-{if $method->icon}{$method->icon}{else}lock{/if}"></span>
+					</div>
+					
+					<div class="accountSecurityContainer">
+						<div class="containerHeadline accountSecurityInformation">
+							<h3>
+								{lang}wcf.user.security.multifactor.{$method->objectType}{/lang}
+								
+								{if $enabledMultifactorMethods[$method->objectTypeID]|isset}
+									<span class="badge green">
+										{lang}wcf.user.security.multifactor.active{/lang}
+									</span>
+								{/if}
+							</h3>
 							
 							{if $enabledMultifactorMethods[$method->objectTypeID]|isset}
-								<span class="badge green">
-									{lang}wcf.user.security.multifactor.active{/lang}
-								</span>
+								{@$method->getProcessor()->getStatusText($enabledMultifactorMethods[$method->objectTypeID])}
 							{/if}
-						</h3>
+						</div>
 						
-						{if $enabledMultifactorMethods[$method->objectTypeID]|isset}
-							{@$method->getProcessor()->getStatusText($enabledMultifactorMethods[$method->objectTypeID])}
-						{/if}
-					</div>
-					
-					<div class="accountSecurityButtons">
-						<a class="small button" href="{link controller='MultifactorManage' id=$method->objectTypeID}{/link}">
-							{lang}wcf.user.security.multifactor.{if $enabledMultifactorMethods[$method->objectTypeID]|isset}manage{else}setup{/if}{/lang}
-						</a>
+						<div class="accountSecurityButtons">
+							<a class="small button" href="{link controller='MultifactorManage' id=$method->objectTypeID}{/link}">
+								{lang}wcf.user.security.multifactor.{if $enabledMultifactorMethods[$method->objectTypeID]|isset}manage{else}setup{/if}{/lang}
+							</a>
+						</div>
 					</div>
-				</div>
-			</li>
+				</li>
+			{/if}
 		{/foreach}
 	</ul>
 </section>
diff --git a/wcfsetup/install/files/lib/form/MultifactorManageForm.class.php b/wcfsetup/install/files/lib/form/MultifactorManageForm.class.php
index c3b706c2a8..ed2b7ae573 100644
--- a/wcfsetup/install/files/lib/form/MultifactorManageForm.class.php
+++ b/wcfsetup/install/files/lib/form/MultifactorManageForm.class.php
@@ -4,6 +4,7 @@ use wcf\data\object\type\ObjectType;
 use wcf\data\object\type\ObjectTypeCache;
 use wcf\form\AbstractFormBuilderForm;
 use wcf\system\exception\IllegalLinkException;
+use wcf\system\exception\PermissionDeniedException;
 use wcf\system\menu\user\UserMenu;
 use wcf\system\request\LinkHandler;
 use wcf\system\user\multifactor\IMultifactorMethod;
@@ -72,6 +73,11 @@ class MultifactorManageForm extends AbstractFormBuilderForm {
 		$this->method = $objectType;
 		$this->processor = $this->method->getProcessor();
 		$this->setup = Setup::find($this->method, WCF::getUser());
+		
+		// Backup codes may not be managed if they are not yet set up.
+		if ($this->method->objectType === 'com.woltlab.wcf.multifactor.backup' && !$this->setup) {
+			throw new PermissionDeniedException();
+		}
 	}
 	
 	/**
-- 
2.20.1

