fix: allow reset_otp_secret only if Two Factor Auth is enabled (bac…

…kport #20506) (#20560) * fix: allow `reset_otp_secret` only if Two Factor Auth is enabled (#20506) * fix: display `Reset OTP Secret` button only if Two factor Auth is enabled * fix: added validations and fetched value from cached doc * fix: linter changes (cherry picked from commit 06580bd) # Conflicts: # frappe/core/doctype/user/user.js # frappe/twofactor.py * chore: conflicts --------- Co-authored-by: Daizy Modi <modidaizy5217@gmail.com> Co-authored-by: Ankush Menat <ankush@frappe.io>
frappe · Apr 11, 2023 · e8025a4 · e8025a4
1 parent 4d6b776
commit e8025a4
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 40 deletions.
diff --git a/frappe/core/doctype/user/user.js b/frappe/core/doctype/user/user.js
@@ -168,14 +168,23 @@ frappe.ui.form.on('User', {
 				});
 			}
 
-			frm.add_custom_button(__("Reset OTP Secret"), function() {
-				frappe.call({
-					method: "frappe.twofactor.reset_otp_secret",
-					args: {
-						"user": frm.doc.name
-					}
-				});
-			}, __("Password"));
+			if (
+				cint(frappe.boot.sysdefaults.enable_two_factor_auth) &&
+				(frappe.session.user == doc.name || frappe.user.has_role("System Manager"))
+			) {
+				frm.add_custom_button(
+					__("Reset OTP Secret"),
+					function () {
+						frappe.call({
+							method: "frappe.twofactor.reset_otp_secret",
+							args: {
+								user: frm.doc.name,
+							},
+						});
+					},
+					__("Password")
+				);
+			}
 
 			frm.trigger('enabled');
 

diff --git a/frappe/twofactor.py b/frappe/twofactor.py
@@ -350,7 +350,7 @@ def send_token_via_sms(otpsecret, token=None, phone_no=None):
 		is_async=True,
 		job_name=None,
 		now=False,
-		**sms_args
+		**sms_args,
 	)
 	return True
 
@@ -386,7 +386,7 @@ def send_token_via_email(user, token, otp_secret, otp_issuer, subject=None, mess
 		is_async=True,
 		job_name=None,
 		now=False,
-		**email_args
+		**email_args,
 	)
 	return True
 
@@ -482,34 +482,44 @@ def disable():
 
 
 @frappe.whitelist()
-def reset_otp_secret(user):
-	otp_issuer = frappe.db.get_value("System Settings", "System Settings", "otp_issuer_name")
-	user_email = frappe.db.get_value("User", user, "email")
-	if frappe.session.user in ["Administrator", user]:
-		clear_default(user + "_otplogin")
-		clear_default(user + "_otpsecret")
-		email_args = {
-			"recipients": user_email,
-			"sender": None,
-			"subject": _("OTP Secret Reset - {0}").format(otp_issuer or "Frappe Framework"),
-			"message": _(
-				"<p>Your OTP secret on {0} has been reset. If you did not perform this reset and did not request it, please contact your System Administrator immediately.</p>"
-			).format(otp_issuer or "Frappe Framework"),
-			"delayed": False,
-			"retry": 3,
-		}
-		enqueue(
-			method=frappe.sendmail,
-			queue="short",
-			timeout=300,
-			event=None,
-			is_async=True,
-			job_name=None,
-			now=False,
-			**email_args
-		)
-		return frappe.msgprint(
-			_("OTP Secret has been reset. Re-registration will be required on next login.")
+def reset_otp_secret(user: str):
+	if frappe.session.user != user:
+		frappe.only_for("System Manager", message=True)
+
+	settings = frappe.get_cached_doc("System Settings")
+
+	if not settings.enable_two_factor_auth:
+		frappe.throw(
+			_("You have to enable Two Factor Auth from System Settings."),
+			title=_("Enable Two Factor Auth"),
 		)
-	else:
-		return frappe.throw(_("OTP secret can only be reset by the Administrator."))
+
+	otp_issuer = settings.otp_issuer_name or "Frappe Framework"
+	user_email = frappe.get_cached_value("User", user, "email")
+
+	clear_default(user + "_otplogin")
+	clear_default(user + "_otpsecret")
+
+	email_args = {
+		"recipients": user_email,
+		"sender": None,
+		"subject": _("OTP Secret Reset - {0}").format(otp_issuer),
+		"message": _(
+			"<p>Your OTP secret on {0} has been reset. If you did not perform this reset and did not request it, please contact your System Administrator immediately.</p>"
+		).format(otp_issuer),
+		"delayed": False,
+		"retry": 3,
+	}
+
+	enqueue(
+		method=frappe.sendmail,
+		queue="short",
+		timeout=300,
+		event=None,
+		is_async=True,
+		job_name=None,
+		now=False,
+		**email_args,
+	)
+
+	frappe.msgprint(_("OTP Secret has been reset. Re-registration will be required on next login."))