Allow removing users two factors

6 years ago · 026f9da035
3 changed files with 27 additions and 6 deletions
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@ -28,6 +28,7 @@ pub fn routes() -> Vec<Route> {
        invite_user,
        delete_user,
        deauth_user,
+        remove_2fa,
        update_revision_users,
        post_config,
        delete_config,
@ -196,6 +197,18 @@ fn deauth_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
    user.save(&conn)
 }

+#[post("/users/<uuid>/remove-2fa")]
+fn remove_2fa(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
+    let mut user = match User::find_by_uuid(&uuid, &conn) {
+        Some(user) => user,
+        None => err!("User doesn't exist"),
+    };
+
+    TwoFactor::delete_all_by_user(&user.uuid, &conn)?;
+    user.totp_recover = None;
+    user.save(&conn)
+}
+
 #[post("/users/update_revision")]
 fn update_revision_users(_token: AdminToken, conn: DbConn) -> EmptyResult {
    User::update_all_revisions(&conn)
--- a/src/api/core/two_factor.rs
+++ b/src/api/core/two_factor.rs
@ -95,9 +95,7 @@ fn recover(data: JsonUpcase<RecoverTwoFactor>, conn: DbConn) -> JsonResult {
    }

    // Remove all twofactors from the user
-    for twofactor in TwoFactor::find_by_user(&user.uuid, &conn) {
-        twofactor.delete(&conn)?;
-    }
+    TwoFactor::delete_all_by_user(&user.uuid, &conn)?;

    // Remove the recovery code, not needed without twofactors
    user.totp_recover = None;
--- a/src/static/templates/admin/page.hbs
+++ b/src/static/templates/admin/page.hbs
@ -26,9 +26,13 @@
                                {{/each}}
                            </span>
                        </div>
-                        <div style="flex: 0 0 240px;">
-                            <a class="mr-3" href="#" onclick='deauthUser({{jsesc Id}})'>Deauthorize sessions</a>
-                            <a class="mr-3" href="#" onclick='deleteUser({{jsesc Id}}, {{jsesc Email}})'>Delete User</a>
+                        <div style="flex: 0 0 300px; font-size: 90%; text-align: right; padding-right: 15px">
+                            {{#if TwoFactorEnabled}}
+                            <a class="mr-2" href="#" onclick='remove2fa({{jsesc Id}})'>Remove all 2FA</a>
+                            {{/if}}
+
+                            <a class="mr-2" href="#" onclick='deauthUser({{jsesc Id}})'>Deauthorize sessions</a>
+                            <a class="mr-2" href="#" onclick='deleteUser({{jsesc Id}}, {{jsesc Email}})'>Delete User</a>
                        </div>
                    </div>
                </div>
@ -227,6 +231,12 @@
        }
        return false;
    }
+    function remove2fa(id) {
+        _post("/admin/users/" + id + "/remove-2fa",
+            "2FA removed correctly",
+            "Error removing 2FA");
+        return false;
+    }
    function deauthUser(id) {
        _post("/admin/users/" + id + "/deauth",
            "Sessions deauthorized correctly",