diff --git a/ga_login.module b/ga_login.module index eb48f06..2ae1733 100644 --- a/ga_login.module +++ b/ga_login.module @@ -41,10 +41,7 @@ function ga_login_create_access($target_account, $account = NULL) { } if (user_access('create own login code once', $account)) { // check if the user already has a code - module_load_include('php', 'ga_login', 'ga_login.class'); - $ga = new ga_loginGA(10); - $username = _ga_login_username($account); - return !$ga->hasToken($username); + return !_ga_login_account_has_code($account); } } return user_access('create others login codes', $account); @@ -193,6 +190,26 @@ function _ga_login_code_approve_form($form, &$form_state, $account) { } /** + * Check if the given account wants to be forced to use tfa. + */ +function _ga_login_force_tfa($account) { + if (user_access('login without code', $account)) { + return isset($account->data['ga_login_force_tfa']) ? $account->data['ga_login_force_tfa'] : FALSE; + } + return TRUE; +} + +/** + * Check if the given account does have a code. + */ +function _ga_login_account_has_code($account) { + module_load_include('php', 'ga_login', 'ga_login.class'); + $ga = new ga_loginGA(10); + $username = _ga_login_username($account); + return $ga->hasToken($username); +} + +/** * Submit handler to create a new code. */ function ga_login_create_form_submit($form, &$form_state) { @@ -288,7 +305,7 @@ function ga_login_test_form_submit($form, $form_state) { */ function ga_login_form_alter(&$form, &$form_state, $form_id) { if ($form_id == 'user_login_block' || $form_id == 'user_login') { - array_unshift($form['#validate'],$form['#validate'][0]); + array_unshift($form['#validate'], $form['#validate'][0]); $form['#validate'][1] = 'ga_login_user_login_validate'; $form['gacode'] = array( '#type' => 'textfield', @@ -306,6 +323,36 @@ function ga_login_form_alter(&$form, &$form_state, $form_id) { $form['links']['#weight'] = 5; } } + elseif ($form_id == 'user_profile_form') { + $account = $form['#user']; + $register = ($account->uid > 0 ? FALSE : TRUE); + // Add some more settings to the user profile form. + $form['ga_login'] = array( + '#type' => 'fieldset', + '#title' => t('Two factor authentication'), + '#weight' => 1, + '#access' => (!$register && user_access('login without code', $account)), + ); + $form['ga_login']['ga_login_force_tfa'] = array( + '#type' => 'checkbox', + '#title' => t('Protect my account with two-factor-authentication'), + '#default_value' => isset($account->data['ga_login_force_tfa']) ? $account->data['ga_login_force_tfa'] : FALSE, + '#description' => t('Check this box to force two-factor-authentication during login. If you decide to do so and haven\'t yet created your key, then please also refer to GA Login.', array('@url' => url('user/' . $account->uid . '/ga_login'))), + ); + } +} + +/** + * Implements hook_user_presave(). + */ +function ga_login_user_presave(&$edit, $account, $category) { + if (isset($edit['ga_login_force_tfa'])) { + $edit['data']['ga_login_force_tfa'] = $edit['ga_login_force_tfa']; + if ($edit['ga_login_force_tfa'] && empty($account->data['ga_login_force_tfa']) && !_ga_login_account_has_code($account)) { + // If force tfa got switched on and the user has no code yet, redirect to the code creation page after saving. + $_GET['destination'] = url('user/' . $account->uid . '/ga_login'); + } + } } /** @@ -316,7 +363,7 @@ function ga_login_user_login_validate($form, &$form_state) { $name = $form_state['values']['name']; $code = $form_state['values']['gacode']; $account = user_load_by_name($name); - if (!user_access('login without code', $account) || !empty($code) || ($account->uid == 1 && variable_get('ga_login_always_for_uid1', 0))) { + if (_ga_login_force_tfa($account) || !empty($code) || ($account->uid == 1 && variable_get('ga_login_always_for_uid1', 0))) { module_load_include('php', 'ga_login', 'ga_login.class'); $ga = new ga_loginGA(10); $username = _ga_login_username($account);