Add option to disable two factor auth in admin accounts panel. (#2584)

* Add option to disable two factor auth in admin accounts panel. Closes #2578 * Add @mjankowski's suggestions. * Moves destroy actions behind User#disable_two_factor! * Adds spec coverage for Admin:TwoFactorAuthenticationsController and User#disable_two_factor!
7 years ago · 7880671f35
--- a/app/controllers/admin/two_factor_authentications_controller.rb
+++ b/app/controllers/admin/two_factor_authentications_controller.rb
@ -0,0 +1,18 @@
 # frozen_string_literal: true

 module Admin
  class TwoFactorAuthenticationsController < BaseController
    before_action :set_user

    def destroy
      @user.disable_two_factor!
      redirect_to admin_accounts_path
    end

    private

    def set_user
      @user = User.find(params[:user_id])
    end
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -56,6 +56,12 @@ class User < ApplicationRecord
    confirmed_at.present?
  end

  def disable_two_factor!
    self.otp_required_for_login = false
    otp_backup_codes&.clear
    save!
  end

  def send_devise_notification(notification, *args)
    devise_mailer.send(notification, self, *args).deliver_later
  end
--- a/app/views/admin/accounts/show.html.haml
+++ b/app/views/admin/accounts/show.html.haml
@ -70,6 +70,8 @@
 - if @account.local?
  %div{ style: 'float: right' }
    = link_to t('admin.accounts.reset_password'), admin_account_reset_path(@account.id), method: :create, class: 'button'
    - if @account.user&.otp_required_for_login?
      = link_to t('admin.accounts.disable_two_factor_authentication'), admin_user_two_factor_authentication_path(@account.user.id), method: :delete, class: 'button'

 %div{ style: 'float: left' }
  - if @account.silenced?
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -84,6 +84,7 @@ en:
      public: Public
      push_subscription_expires: PuSH subscription expires
      reset_password: Reset password
      disable_two_factor_authentication: Disable 2FA
      salmon_url: Salmon URL
      show:
        created_reports: Reports created by this account
--- a/config/routes.rb
+++ b/config/routes.rb
@ -89,6 +89,10 @@ Rails.application.routes.draw do
      resource :suspension, only: [:create, :destroy]
      resource :confirmation, only: [:create]
    end

    resources :users, only: [] do
      resource :two_factor_authentication, only: [:destroy]
    end
  end

  get '/admin', to: redirect('/admin/settings', status: 302)
--- a/spec/controllers/admin/two_factor_authentications_controller_spec.rb
+++ b/spec/controllers/admin/two_factor_authentications_controller_spec.rb
@ -0,0 +1,17 @@
 require 'rails_helper'

 describe Admin::TwoFactorAuthenticationsController do
  render_views

  let(:user) { Fabricate(:user) }
  before do
    sign_in Fabricate(:user, admin: true), scope: :user
  end

  describe 'DELETE #destroy' do
    it 'redirects to admin accounts page' do
      delete :destroy, params: { user_id: user.id }
      expect(response).to redirect_to(admin_accounts_path)
    end
  end
 end
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -126,6 +126,20 @@ RSpec.describe User, type: :model do
    end
  end

  describe '#disable_two_factor!' do
    it 'sets otp_required_for_login to false' do
      user = Fabricate.build(:user, otp_required_for_login: true)
      user.disable_two_factor!
      expect(user.otp_required_for_login).to be false
    end

    it 'clears otp_backup_codes' do
      user = Fabricate.build(:user, otp_backup_codes: %w[dummy dummy])
      user.disable_two_factor!
      expect(user.otp_backup_codes.empty?).to be true
    end
  end

  describe 'whitelist' do
    around(:each) do |example|
      old_whitelist = Rails.configuration.x.email_whitelist