kobotoolbox / kpi / 25568812093

82%

master: 76%

Build Type

push

github

Committed by web-flow

Commit Message

fix(mfa): prevent superusers from deactivating MFA when `SUPERUSER_AUTH_ENFORCEMENT` is active DEV-1926 (#6928)

### 📣 Summary
Ensure administrative accounts remain protected by preventing superusers
from disabling two-factor authentication when a security enforcement
configuration is enabled.

### 💭 Notes
- Adds `EnforceSuperuserMFA` permission to ensure that if
`SUPERUSER_AUTH_ENFORCEMENT` is active, the deactivation endpoint will
return a 403 Forbidden
- Does not let the user open the MFA modal to deactivate on the Security
page
- Exposes `is_staff` and `is_superuser `(read-only) via the `/me/`
endpoint and adds `superuser_auth_enforcement` to the `/environment/`
endpoint. These additions allow the frontend to verify these values on
the Security page when determining if the MFA button needs to be
disabled.

### 👀 Preview steps

1. ℹ️ have a superuser account
2. Login to the Django admin and activate the
`SUPERUSER_AUTH_ENFORCEMENT` under **Constance > Config**
4. Login to a regular user account
5. Activate Two-factor authentication under **Account Settings >
Security**
6. Login to the Django admin again as the superuser account and promote
the regular user to superuser
7. Log back in as the newly promoted user and navigate to **Account
Settings > Security**
8. 🔴 [on main] Toggle the "Disabled" button for Two-factor
authentication and it should successfully disable
9. 🟢 [on PR] The "Disabled" button for Two-factor authentication is
grayed out with a tooltip when hovering over the button that says
"Superusers cannot deactivate their MFA."
10. Test and ensure these different scenarios work:
- IF user MFA is OFF -> user can't be made superuser
- IF user MFA in ON -> user can be made superuser
- IF superuser -> MFA can't be deactivated, either in the interface or
in Django, by the user or an admin.

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

Coverage Stats

9107 of 12270 branches covered (74.22%)

19 of 54 new or added lines in 6 files covered. (35.19%)

530 existing lines in 30 files now uncovered.

30011 of 36653 relevant lines covered (81.88%)

5.74 hits per line