From 2dc22ac017fc6f103d749a7f3955e67b509320e2 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 21 Dec 2021 11:01:41 +0100 Subject: [PATCH] kolab_2fa: Allow kolab_auth'enticated admins to change user's 2FA settings (add/remove factors) --- plugins/kolab_2fa/kolab2fa.js | 9 ++------- plugins/kolab_2fa/kolab_2fa.php | 25 +++++++++++++++---------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/plugins/kolab_2fa/kolab2fa.js b/plugins/kolab_2fa/kolab2fa.js index cec01651..868bf1fd 100644 --- a/plugins/kolab_2fa/kolab2fa.js +++ b/plugins/kolab_2fa/kolab2fa.js @@ -128,11 +128,6 @@ window.rcmail && rcmail.addEventListener('init', function(evt) { * Remove the given factor from the account */ function remove_factor(id) { - if (rcmail.env.kolab_2fa_factors[id]) { - rcmail.env.kolab_2fa_factors[id].active = false; - } - render(); - var lock = rcmail.set_busy(true, 'saving'); rcmail.http_post('plugin.kolab-2fa-save', { _method: id, _data: 'false' }, lock); } @@ -184,7 +179,7 @@ window.rcmail && rcmail.addEventListener('init', function(evt) { function require_high_security(func, exclude) { // request 2nd factor auth - if (!rcmail.env.session_secured || rcmail.env.session_secured < time() - 120) { + if (rcmail.env.session_secured !== true && rcmail.env.session_secured < time() - 180) { var method, name; // find an active factor @@ -327,7 +322,7 @@ window.rcmail && rcmail.addEventListener('init', function(evt) { // callback for save failure rcmail.addEventListener('plugin.reset_form', function(method) { - if (rcmail.env.kolab_2fa_factors[method]) { + if (method && rcmail.env.kolab_2fa_factors[method]) { rcmail.env.kolab_2fa_factors[method].active = false; } diff --git a/plugins/kolab_2fa/kolab_2fa.php b/plugins/kolab_2fa/kolab_2fa.php index 9d415ce5..6658f90b 100644 --- a/plugins/kolab_2fa/kolab_2fa.php +++ b/plugins/kolab_2fa/kolab_2fa.php @@ -422,10 +422,7 @@ class kolab_2fa extends rcube_plugin $this->include_script('kolab2fa.js'); $this->include_stylesheet($this->local_skin_path() . '/kolab2fa.css'); - if ($this->check_secure_mode()) { - $this->api->output->set_env('session_secured', $_SESSION['kolab_2fa_secure_mode']); - } - + $this->api->output->set_env('session_secured', $this->check_secure_mode()); $this->api->output->add_label('save','cancel'); $this->api->output->set_pagetitle($this->gettext('settingstitle')); $this->api->output->send('kolab_2fa.config'); @@ -671,7 +668,7 @@ class kolab_2fa extends rcube_plugin } else if ($errors) { $this->api->output->show_message($this->gettext('factorsaveerror'), 'error'); - $this->api->output->command('plugin.reset_form', $method); + $this->api->output->command('plugin.reset_form', $data !== false ? $method : null); } $this->api->output->send(); @@ -779,12 +776,20 @@ class kolab_2fa extends rcube_plugin } /** - * + * Check whether the session is secured with 2FA (excluding the logon) */ protected function check_secure_mode() { - $valid = ($_SESSION['kolab_2fa_secure_mode'] && $_SESSION['kolab_2fa_secure_mode'] > time() - 180); - return $valid; - } + // Allow admins that used kolab_auth's "login as" feature to act without + // being asked for the user's second factor + if (!empty($_SESSION['kolab_auth_admin']) && !empty($_SESSION['kolab_auth_password'])) { + return true; + } -} \ No newline at end of file + if ($_SESSION['kolab_2fa_secure_mode'] && $_SESSION['kolab_2fa_secure_mode'] > time() - 180) { + return $_SESSION['kolab_2fa_secure_mode']; + } + + return false; + } +}