Add the permission level use_two_factor_auth.

Roles with this permission level are required to use two factor authentication to sign in. Users below this permission level can sign in directly. The default user role with this permission is "student". But if there is strong opposition to this default, then I suppose it could be switched to "login_proctor". Note that even if this is set to "guest", guest users will still be able to sign in without two factor authentication since it never really makes sense to have guests (i.e. practice users) use two factor authentication.
openwebwork · Mar 16, 2024 · 334557c · 334557c
1 parent 48a765a
commit 334557c
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/conf/defaults.config b/conf/defaults.config
@@ -772,6 +772,7 @@ $authen{admin_module} = ['WeBWorK::Authen::Basic_TheLastOption'];
 %permissionLevels = (
 	login                          => "guest",
 	navigation_allowed             => "guest",
+	use_two_factor_auth            => "student",
 	report_bugs                    => "ta",
 	submit_feedback                => "student",
 	change_password                => "student",

diff --git a/conf/localOverrides.conf.dist b/conf/localOverrides.conf.dist
@@ -220,7 +220,7 @@ $mail{feedbackRecipients}    = [
 # $permissionLevels{login} = "guest";
 
 # The above code would give the permission to login to any user with permission
-# level guest or higher.
+# level guest or higher (which is the default).
 
 # By default answers for all users are logged to the past_answers table in the database
 # and the myCourse/logs/answer_log file.  If you only want answers logged for users below
@@ -625,6 +625,14 @@ $mail{feedbackRecipients}    = [
 # better to find a valid email address to use for this.
 #$twoFA{email_sender} = '[email protected]';
 
+# By default all users with the role of "student" or higher are required to use
+# two factor authentication when signing in with a username and password.  If
+# you want to disable two factor authentication for students, but require it for
+# instructors then set the permission level below to "login_proctor" (or
+# higher).
+
+#$permissionLevels{use_two_factor_auth} = "login_proctor";
+
 ################################################################################
 # Searching for set.def files to import
 ################################################################################

diff --git a/lib/WeBWorK/Authen.pm b/lib/WeBWorK/Authen.pm
@@ -198,6 +198,7 @@ sub verify {
 		&& !$self->{external_auth}
 		&& (!$c->{rpc} || ($c->{rpc} && !$c->stash->{disable_cookies}))
 		&& $c->ce->two_factor_authentication_enabled
+		&& $c->authz->hasPermissions($self->{user_id}, 'use_two_factor_auth')
 		&& ($self->{initial_login} || $self->session->{two_factor_verification_needed})
 		&& !$remember_2fa)
 	{