Added option to disable 2FA

This mod introduces DISABLE_2FA parameter in [security] section of app.ini (by default set to false). If set to true it disables access to 2FA feature in user preferences (not required in some environments i.e. when reverse proxy auth is used). Authentication code using 2FA and any existing 2FA configuration are left untouched. This mod hides also security tab in user preferences when openid is also disabled; for this reason this mod is not separate PR but exiting PR enhancement. Author-Change-Id: IB#1105071
ibpl · Oct 19, 2020 · 4b867e9 · 4b867e9
1 parent 03c07c2
commit 4b867e9
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 0 deletions.
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -541,6 +541,8 @@ IMPORT_LOCAL_PATHS = false
 ; It also enables them to access other resources available to the user on the operating system that is running the Gitea instance and perform arbitrary actions in the name of the Gitea OS user.
 ; WARNING: This maybe harmful to you website or your operating system.
 DISABLE_GIT_HOOKS = true
+; Set to false to disable 2FA feature.
+DISABLE_2FA = false
 ; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED
 ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
 ;Comma separated list of character classes required to pass minimum complexity.

diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -400,6 +400,7 @@ relation to port exhaustion.
    It also enables them to access other resources available to the user on the operating system that is running the
    Gitea instance and perform arbitrary actions in the name of the Gitea OS user.
    This maybe harmful to you website or your operating system.
+- `DISABLE_2FA`: **false**: Set to `true` to disable 2FA feature.
 - `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to gitea repositories you should set the environment appropriately.
 - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.

diff --git a/modules/setting/setting.go b/modules/setting/setting.go
@@ -152,6 +152,7 @@ var (
 	MinPasswordLength                  int
 	ImportLocalPaths                   bool
 	DisableGitHooks                    bool
+	Disable2FA                         bool
 	OnlyAllowPushIfGiteaEnvironmentSet bool
 	PasswordComplexity                 []string
 	PasswordHashAlgo                   string
@@ -770,6 +771,7 @@ func NewContext() {
 	MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
 	ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
 	DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true)
+	Disable2FA = sec.Key("DISABLE_2FA").MustBool(false)
 	OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
 	PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("argon2")
 	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)

diff --git a/modules/templates/helper.go b/modules/templates/helper.go
@@ -234,6 +234,9 @@ func NewFuncMap() []template.FuncMap {
 		"DisableOAuth2": func() bool {
 			return !setting.OAuth2.Enable
 		},
+		"Disable2FA": func() bool {
+			return setting.Disable2FA
+		},
 		"TrN": TrN,
 		"Dict": func(values ...interface{}) (map[string]interface{}, error) {
 			if len(values)%2 != 0 {

diff --git a/templates/user/settings/navbar.tmpl b/templates/user/settings/navbar.tmpl
@@ -5,9 +5,11 @@
 	<a class="{{if .PageIsSettingsAccount}}active{{end}} item" href="{{AppSubUrl}}/user/settings/account">
 		{{.i18n.Tr "settings.account"}}
 	</a>
+	{{if or (not Disable2FA) .EnableOpenIDSignIn}}
 	<a class="{{if .PageIsSettingsSecurity}}active{{end}} item" href="{{AppSubUrl}}/user/settings/security">
 		{{.i18n.Tr "settings.security"}}
 	</a>
+	{{end}}
 	{{if or .EnableSwagger (not DisableOAuth2)}}
 		<a class="{{if .PageIsSettingsApplications}}active{{end}} item" href="{{AppSubUrl}}/user/settings/applications">
 			{{.i18n.Tr "settings.applications"}}

diff --git a/templates/user/settings/security.tmpl b/templates/user/settings/security.tmpl
@@ -3,8 +3,10 @@
 	{{template "user/settings/navbar" .}}
 	<div class="ui container">
 		{{template "base/alert" .}}
+		{{if not Disable2FA}}
 		{{template "user/settings/security_twofa" .}}
 		{{template "user/settings/security_u2f" .}}
+		{{end}}
 		{{if .EnableOpenIDSignIn}}
 		{{template "user/settings/security_accountlinks" .}}
 		{{template "user/settings/security_openid" .}}