Merge pull request #3901 from alphagov/prevent-admin-auth-change

Prevent switching auth type for Platform Admins
2026-05-05 16:38:59 -04:00 · 2021-05-28 16:07:11 +01:00
parent 24f4b3f3eb 71cbc00a3d
commit 68d923568c
6 changed files with 147 additions and 84 deletions
--- a/app/main/views/invites.py
+++ b/app/main/views/invites.py
@@ -57,15 +57,16 @@ def accept_invite(token):
            return redirect(url_for('main.service_dashboard', service_id=invited_user.service))
        else:
            service = Service.from_id(invited_user.service)
-            # if the service you're being added to can modify auth type, then check if this is relevant
-            if service.has_permission('email_auth') and (
-                # they have a phone number, we want them to start using it. if they dont have a mobile we just
-                # ignore that option of the invite
-                (existing_user.mobile_number and invited_user.auth_type == 'sms_auth') or
-                # we want them to start sending emails. it's always valid, so lets always update
-                invited_user.auth_type == 'email_auth'
-            ):
-                existing_user.update(auth_type=invited_user.auth_type)
+            # if the service you're being added to can modify auth type, then check if we can do this;
+            # if the user is a Platform Admin, we silently leave this unchanged to prevent a security
+            # issue where someone could switch their auth type to something less secure
+            if service.has_permission('email_auth') and not existing_user.platform_admin:
+                if invited_user.auth_type == 'email_auth' or (
+                    # they have a phone number, we want them to start using it.
+                    # if they dont have a mobile we just ignore that option of the invite
+                    existing_user.mobile_number and invited_user.auth_type == 'sms_auth'
+                ):
+                    existing_user.update(auth_type=invited_user.auth_type)
            existing_user.add_to_service(
                service_id=invited_user.service,
                permissions=invited_user.permissions,
--- a/app/main/views/manage_users.py
+++ b/app/main/views/manage_users.py
@@ -142,7 +142,9 @@ def edit_user_permissions(service_id, user_id):
            permissions=form.permissions,
            folder_permissions=form.folder_permissions.data,
        )
-        if service_has_email_auth:
+        # only change the auth type if this is supported for a service; for Platform Admin users,
+        # we avoid changing the auth type to prevent it being switched to something less secure
+        if service_has_email_auth and not user.platform_admin:
            user.update(auth_type=form.login_authentication.data)
        return redirect(url_for('.manage_users', service_id=service_id))

--- a/app/templates/views/manage-users/permissions.html
+++ b/app/templates/views/manage-users/permissions.html
@@ -11,7 +11,11 @@
 {% endif %}

 {% if service_has_email_auth %}
-  {% if not mobile_number %}
+  {% if user.platform_admin %}
+    <p class="bottom-gutter">
+      Platform admin users will login with a security key.
+    </p>
+  {% elif not mobile_number %}
    {{ radios(
      form.login_authentication,
      disable=['sms_auth'],