DEV: Show confirmation dialog when admins disable 2FA (#29652)

This PR ensures that admins are shown a confirmation dialog when clicking to disable 2FA for a user. The 2FA button is right below the "Grant Badge" button and as such it can easily be clicked accidentally. It's also good practice to ask for confirmation before removing important functionality.
2025-02-25 18:55:32 -06:00 · 2024-11-08 09:39:42 +09:00
parent fc5c0270f7
commit 5a23a74bbc
4 changed files with 46 additions and 6 deletions
--- a/app/assets/javascripts/admin/addon/controllers/admin-user-index.js
+++ b/app/assets/javascripts/admin/addon/controllers/admin-user-index.js
@@ -374,7 +374,12 @@ export default class AdminUserIndexController extends Controller.extend(

  @action
  disableSecondFactor() {
-    return this.model.disableSecondFactor();
+    this.dialog.yesNoConfirm({
+      message: I18n.t("admin.user.disable_second_factor_confirm"),
+      didConfirm: () => {
+        return this.model.disableSecondFactor();
+      },
+    });
  }

  @action
--- a/app/assets/javascripts/admin/addon/templates/user-index.hbs
+++ b/app/assets/javascripts/admin/addon/templates/user-index.hbs
@@ -230,7 +230,7 @@
    </div>
  {{/if}}

-  <div class="display-row">
+  <div class="display-row second-factor">
    <div class="field">{{i18n "user.second_factor.title"}}</div>
    <div class="value">
      {{#if this.model.second_factor_enabled}}
@@ -245,7 +245,7 @@
          @action={{this.disableSecondFactor}}
          @icon="unlock-keyhole"
          @label="user.second_factor.disable"
-          class="btn-default"
+          class="btn-default disable-second-factor"
        />
      {{/if}}
    </div>
--- a/app/assets/javascripts/discourse/tests/acceptance/admin-user-index-test.js
+++ b/app/assets/javascripts/discourse/tests/acceptance/admin-user-index-test.js
@@ -81,6 +81,24 @@ acceptance("Admin - User Index", function (needs) {
      });
    });

+    server.get("/admin/users/7.json", () => {
+      return helper.response({
+        id: 7,
+        username: "jimmy",
+        name: "Jimmy Johnson",
+        avatar_template: "/letter_avatar_proxy/v4/letter/b/f0a364/{size}.png",
+        active: true,
+        admin: false,
+        moderator: false,
+        can_grant_admin: true,
+        can_revoke_admin: false,
+        can_grant_moderation: true,
+        can_revoke_moderation: false,
+        second_factor_enabled: true,
+        can_disable_second_factor: true,
+      });
+    });
+
    server.put("/admin/users/4/grant_admin", () => {
      return helper.response(403, {
        second_factor_challenge_nonce: "some-nonce",
@@ -140,6 +158,10 @@ acceptance("Admin - User Index", function (needs) {
        html_message: true,
      });
    });
+
+    server.put("/admin/users/7/disable_second_factor", () => {
+      return helper.response({ success: "OK" });
+    });
  });

  needs.hooks.beforeEach(() => {
@@ -255,6 +277,18 @@ acceptance("Admin - User Index", function (needs) {
    );
  });

+  test("disable 2fa - shows the confirmation dialog", async function (assert) {
+    await visit("/admin/users/7/jimmy");
+    await click(".disable-second-factor");
+    assert.dom(".dialog-content").exists();
+    assert.strictEqual(
+      I18n.t("admin.user.disable_second_factor_confirm"),
+      query(".dialog-body").textContent.trim()
+    );
+
+    await click(".dialog-footer .btn-primary");
+  });
+
  test("delete user - delete without blocking works as expected", async function (assert) {
    await visit("/admin/users/5/user5");
    await click(".btn-user-delete");