From 325add71cfa3789b5e7ecf40bfe25376981654a7 Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Tue, 5 Jan 2021 13:54:48 +0000
Subject: [PATCH] Add option for administrator to reset user 2FA (#14243)

* Frontend

* Backend

* only show 2FA-Reset option if posible
---
 modules/auth/admin.go           |  1 +
 options/locale/locale_en-US.ini |  1 +
 routers/admin/users.go          | 23 +++++++++++++++++++++++
 templates/admin/user/edit.tmpl  | 10 ++++++++++
 4 files changed, 35 insertions(+)

diff --git a/modules/auth/admin.go b/modules/auth/admin.go
index 9caf81e07..1f840251c 100644
--- a/modules/auth/admin.go
+++ b/modules/auth/admin.go
@@ -42,6 +42,7 @@ type AdminEditUserForm struct {
 	AllowImportLocal        bool
 	AllowCreateOrganization bool
 	ProhibitLogin           bool
+	Reset2FA                bool `form:"reset_2fa"`
 }
 
 // Validate validates form fields
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 06471fd6c..de4dcde3f 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2116,6 +2116,7 @@ users.delete_account = Delete User Account
 users.still_own_repo = This user still owns one or more repositories. Delete or transfer these repositories first.
 users.still_has_org = This user is a member of an organization. Remove the user from any organizations first.
 users.deletion_success = The user account has been deleted.
+users.reset_2fa = Reset 2FA
 
 emails.email_manage_panel = User Email Management
 emails.primary = Primary
diff --git a/routers/admin/users.go b/routers/admin/users.go
index 2ea496624..1dc6d5bbe 100644
--- a/routers/admin/users.go
+++ b/routers/admin/users.go
@@ -183,6 +183,16 @@ func prepareUserInfo(ctx *context.Context) *models.User {
 	}
 	ctx.Data["Sources"] = sources
 
+	ctx.Data["TwoFactorEnabled"] = true
+	_, err = models.GetTwoFactorByUID(u.ID)
+	if err != nil {
+		if !models.IsErrTwoFactorNotEnrolled(err) {
+			ctx.InternalServerError(err)
+			return nil
+		}
+		ctx.Data["TwoFactorEnabled"] = false
+	}
+
 	return u
 }
 
@@ -259,6 +269,19 @@ func EditUserPost(ctx *context.Context, form auth.AdminEditUserForm) {
 		u.HashPassword(form.Password)
 	}
 
+	if form.Reset2FA {
+		tf, err := models.GetTwoFactorByUID(u.ID)
+		if err != nil && !models.IsErrTwoFactorNotEnrolled(err) {
+			ctx.InternalServerError(err)
+			return
+		}
+
+		if err = models.DeleteTwoFactorByID(tf.ID, u.ID); err != nil {
+			ctx.InternalServerError(err)
+			return
+		}
+	}
+
 	u.LoginName = form.LoginName
 	u.FullName = form.FullName
 	u.Email = form.Email
diff --git a/templates/admin/user/edit.tmpl b/templates/admin/user/edit.tmpl
index d6cbdd5f5..9edf337f0 100644
--- a/templates/admin/user/edit.tmpl
+++ b/templates/admin/user/edit.tmpl
@@ -110,6 +110,16 @@
 				</div>
 				{{end}}
 
+				{{if .TwoFactorEnabled}}
+				<div class="ui divider"></div>
+				<div class="inline field">
+					<div class="ui checkbox">
+						<label><strong>{{.i18n.Tr "admin.users.reset_2fa"}}</strong></label>
+						<input name="reset_2fa" type="checkbox">
+					</div>
+				</div>
+				{{end}}
+
 				<div class="ui divider"></div>
 
 				<div class="field">