From 49acf3e0cfffc2c8d87240c30a455193c53a678f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Sun, 13 Oct 2024 20:13:03 +0200
Subject: [PATCH] Fixed problem preventing non-admins to add TOTP 2FA to their
 account

This was caused by the no-lockout constraint, which was accidentially triggered here
---
 src/Controller/UserSettingsController.php | 3 ++-
 src/Entity/UserSystem/User.php            | 2 +-
 src/Form/UserAdminForm.php                | 2 ++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/Controller/UserSettingsController.php b/src/Controller/UserSettingsController.php
index f84547dc..ea49dbc2 100644
--- a/src/Controller/UserSettingsController.php
+++ b/src/Controller/UserSettingsController.php
@@ -330,7 +330,8 @@ class UserSettingsController extends AbstractController
         }
         $google_form->handleRequest($request);
 
-        if (!$this->demo_mode && !$user->isSamlUser() && $google_form->isSubmitted() && $google_form->isValid()) {
+        //We do not need to check for validity of the google form here, because we do not care if the other fields are valid
+        if (!$this->demo_mode && !$user->isSamlUser() && $google_form->isSubmitted()) {
             if (!$google_enabled) {
                 //Save 2FA settings (save secrets)
                 $user->setGoogleAuthenticatorSecret($google_form->get('googleAuthenticatorSecret')->getData());
diff --git a/src/Entity/UserSystem/User.php b/src/Entity/UserSystem/User.php
index b26a842d..b5dd6064 100644
--- a/src/Entity/UserSystem/User.php
+++ b/src/Entity/UserSystem/User.php
@@ -102,7 +102,7 @@ use Jbtronics\TFAWebauthn\Model\TwoFactorInterface as WebauthnTwoFactorInterface
 #[ApiFilter(LikeFilter::class, properties: ["name", "aboutMe"])]
 #[ApiFilter(DateFilter::class, strategy: DateFilterInterface::EXCLUDE_NULL)]
 #[ApiFilter(OrderFilter::class, properties: ['name', 'id', 'addedDate', 'lastModified'])]
-#[NoLockout]
+#[NoLockout(groups: ['permissions:edit'])]
 class User extends AttachmentContainingDBElement implements UserInterface, HasPermissionsInterface, TwoFactorInterface,
                                                             BackupCodeInterface, TrustedDeviceInterface, WebauthnTwoFactorInterface, PreferredProviderInterface, PasswordAuthenticatedUserInterface, SamlUserInterface
 {
diff --git a/src/Form/UserAdminForm.php b/src/Form/UserAdminForm.php
index d1e5924e..864bcf6b 100644
--- a/src/Form/UserAdminForm.php
+++ b/src/Form/UserAdminForm.php
@@ -57,6 +57,8 @@ class UserAdminForm extends AbstractType
         parent::configureOptions($resolver); // TODO: Change the autogenerated stub
         $resolver->setRequired('attachment_class');
         $resolver->setDefault('parameter_class', false);
+
+        $resolver->setDefault('validation_groups', ['Default', 'permissions:edit']);
     }
 
     public function buildForm(FormBuilderInterface $builder, array $options): void