Fix 2FA setup for LDAP users

LDAP and other oauth users couldn't set up two factor authentication
when they had a password prior to linking oauth and didn't remember
the password. This commit removes the requirement to enter the current
password if authentication with password is disabled for the
application.

Changelog: fixed

app/controllers/profiles/two_factor_auths_controller.rb

@@ -147,7 +147,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   end
 
   def current_password_required?
-    !current_user.password_automatically_set?
+    !current_user.password_automatically_set? && current_user.allow_password_authentication_for_web?
   end
 
   def build_qr_code

spec/controllers/profiles/two_factor_auths_controller_spec.rb

@@ -62,6 +62,32 @@ RSpec.describe Profiles::TwoFactorAuthsController do
         expect(flash[:alert]).to be_nil
       end
     end
+
+    context 'when password authentication is disabled' do
+      before do
+        stub_application_setting(password_authentication_enabled_for_web: false)
+      end
+
+      it 'does not require the current password', :aggregate_failures do
+        go
+
+        expect(response).not_to redirect_to(redirect_path)
+        expect(flash[:alert]).to be_nil
+      end
+    end
+
+    context 'when the user is an LDAP user' do
+      before do
+        allow(user).to receive(:ldap_user?).and_return(true)
+      end
+
+      it 'does not require the current password', :aggregate_failures do
+        go
+
+        expect(response).not_to redirect_to(redirect_path)
+        expect(flash[:alert]).to be_nil
+      end
+    end
   end
 
   describe 'GET show' do