def _two_factor_required(view_func, domain, couch_user):
exempt = getattr(view_func, 'two_factor_exempt', False)
if exempt:
return False
return ((domain.two_factor_auth
or TWO_FACTOR_SUPERUSER_ROLLOUT.enabled(couch_user.username))
and not couch_user.two_factor_disabled)
def _two_factor_required(view_func, domain_obj, request):
"""
Check if Two Factor Authentication is required.
:param view_func: the view function being accessed
:param domain_obj: Domain instance associated with the view
:param request: Request
:return: Boolean (True if 2FA is required)
"""
exempt = getattr(view_func, 'two_factor_exempt', False)
if exempt:
return False
if not request.couch_user:
return False
if (ENTERPRISE_SSO.enabled_for_request(request)
and is_request_using_sso(request)):
# SSO authenticated users manage two-factor auth on the Identity Provider
# level, so CommCare HQ does not attempt 2FA with them. This is one of
# the reasons we require that domains establish TrustedIdentityProvider
# relationships.
return False
return (
# If a user is a superuser, then there is no two_factor_disabled loophole allowed.
# If you lose your phone, you have to give up superuser privileges
# until you have two factor set up again.
settings.REQUIRE_TWO_FACTOR_FOR_SUPERUSERS
and request.couch_user.is_superuser
) or (
# For other policies requiring two factor auth,
# allow the two_factor_disabled loophole for people who have lost their phones
# and need time to set up two factor auth again.
(domain_obj.two_factor_auth
or TWO_FACTOR_SUPERUSER_ROLLOUT.enabled(request.couch_user.username))
and not request.couch_user.two_factor_disabled)
def _two_factor_required(view_func, domain, couch_user):
exempt = getattr(view_func, 'two_factor_exempt', False)
if exempt:
return False
return (
(domain.two_factor_auth or TWO_FACTOR_SUPERUSER_ROLLOUT.enabled(couch_user.username))
and not couch_user.two_factor_disabled
)
def _two_factor_required(view_func, domain, couch_user):
exempt = getattr(view_func, 'two_factor_exempt', False)
if exempt:
return False
return (
# If a user is a superuser, then there is no two_factor_disabled loophole allowed.
# If you lose your phone, you have to give up superuser privileges
# until you have two factor set up again.
settings.REQUIRE_TWO_FACTOR_FOR_SUPERUSERS and couch_user.is_superuser
) or (
# For other policies requiring two factor auth,
# allow the two_factor_disabled loophole for people who have lost their phones
# and need time to set up two factor auth again.
(domain.two_factor_auth or TWO_FACTOR_SUPERUSER_ROLLOUT.enabled(
couch_user.username)) and not couch_user.two_factor_disabled)
def _two_factor_required(view_func, domain, couch_user):
if TWO_FACTOR_SUPERUSER_ROLLOUT.enabled(couch_user.username):
return not getattr(view_func, 'two_factor_exempt', False)
return (not getattr(view_func, 'two_factor_exempt', False)
and domain.two_factor_auth and not couch_user.two_factor_disabled)