Merge branch '343061-remove-2fa-password-requirement-when-password-auth-disabled' into 'master'

Fix 2FA setup for LDAP users See merge request gitlab-org/gitlab!73538

Merge branch '343061-remove-2fa-password-requirement-when-password-auth-disabled' into 'master'
Fix 2FA setup for LDAP users See merge request gitlab-org/gitlab!73538
3105d07e · Andy Soiron · b090066a · c29aca2e · 3105d07e · 3105d07e
Commit 3105d07e authored Nov 08, 2021 by Andy Soiron
2 changed files
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -147,7 +147,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
  end

  def current_password_required?
-    !current_user.password_automatically_set?
+    !current_user.password_automatically_set? && current_user.allow_password_authentication_for_web?
  end

  def build_qr_code

--- a/spec/controllers/profiles/two_factor_auths_controller_spec.rb
+++ b/spec/controllers/profiles/two_factor_auths_controller_spec.rb
@@ -62,6 +62,32 @@ RSpec.describe Profiles::TwoFactorAuthsController do
        expect(flash[:alert]).to be_nil
      end
    end
+
+    context 'when password authentication is disabled' do
+      before do
+        stub_application_setting(password_authentication_enabled_for_web: false)
+      end
+
+      it 'does not require the current password', :aggregate_failures do
+        go
+
+        expect(response).not_to redirect_to(redirect_path)
+        expect(flash[:alert]).to be_nil
+      end
+    end
+
+    context 'when the user is an LDAP user' do
+      before do
+        allow(user).to receive(:ldap_user?).and_return(true)
+      end
+
+      it 'does not require the current password', :aggregate_failures do
+        go
+
+        expect(response).not_to redirect_to(redirect_path)
+        expect(flash[:alert]).to be_nil
+      end
+    end
  end

  describe 'GET show' do