Allow superusers to disable 2fa

2025-09-16 21:55:37 -05:00 · 2024-10-19 21:23:30 -07:00
parent 52ca8025d4
commit 70aa8d6cab
7 changed files with 85 additions and 2 deletions
--- a/src/paperless/serialisers.py
+++ b/src/paperless/serialisers.py
@@ -33,6 +33,11 @@ class UserSerializer(serializers.ModelSerializer):
        required=False,
    )
    inherited_permissions = serializers.SerializerMethodField()
+    is_mfa_enabled = serializers.SerializerMethodField()
+
+    def get_is_mfa_enabled(self, user: User):
+        mfa_adapter = get_mfa_adapter()
+        return mfa_adapter.is_mfa_enabled(user)

    class Meta:
        model = User
@@ -50,6 +55,7 @@ class UserSerializer(serializers.ModelSerializer):
            "groups",
            "user_permissions",
            "inherited_permissions",
+            "is_mfa_enabled",
        )

    def get_inherited_permissions(self, obj):
--- a/src/paperless/views.py
+++ b/src/paperless/views.py
@@ -17,6 +17,7 @@ from django.http import HttpResponseBadRequest
 from django.views.generic import View
 from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.authtoken.models import Token
+from rest_framework.decorators import action
 from rest_framework.filters import OrderingFilter
 from rest_framework.generics import GenericAPIView
 from rest_framework.pagination import PageNumberPagination
@@ -106,6 +107,24 @@ class UserViewSet(ModelViewSet):
    filterset_class = UserFilterSet
    ordering_fields = ("username",)

+    @action(detail=True, methods=["post"])
+    def deactivate_totp(self, request, pk=None):
+        request_user = request.user
+        user = User.objects.get(pk=pk)
+        if not request_user.is_superuser and request_user != user:
+            return HttpResponseBadRequest(
+                "You do not have permission to deactivate TOTP for this user",
+            )
+        try:
+            authenticator = Authenticator.objects.filter(
+                user=user,
+                type=Authenticator.Type.TOTP,
+            ).first()
+            delete_and_cleanup(request, authenticator)
+            return Response(True)
+        except Authenticator.DoesNotExist:
+            return HttpResponseBadRequest("TOTP not found")
+

 class GroupViewSet(ModelViewSet):
    model = Group