From 2791066bb2f6801713734b1f21e633212efa2c81 Mon Sep 17 00:00:00 2001
From: uepselon <49870752+uepselon@users.noreply.github.com>
Date: Wed, 13 Jul 2022 16:05:41 +0200
Subject: [PATCH] fix: allow System Manager to reset OTP secret

* squashed: Change Admin based OTP reset to role based reset (System Manager)

* fix: show `Reset OTP Secret` button only if applicable

* chore: flatten code, use `only_for` API

Co-authored-by: Leonard Goertz <leonard.goertz@noventive.com>
Co-authored-by: Sagar Vora <sagar@resilient.tech>
---
 frappe/core/doctype/user/user.js | 18 +++++-----
 frappe/twofactor.py              | 58 +++++++++++++++++---------------
 2 files changed, 40 insertions(+), 36 deletions(-)

diff --git a/frappe/core/doctype/user/user.js b/frappe/core/doctype/user/user.js
index 001aae4da0..41b7e7fb38 100644
--- a/frappe/core/doctype/user/user.js
+++ b/frappe/core/doctype/user/user.js
@@ -173,14 +173,16 @@ frappe.ui.form.on('User', {
 				});
 			}
 
-			frm.add_custom_button(__("Reset OTP Secret"), function() {
-				frappe.call({
-					method: "frappe.twofactor.reset_otp_secret",
-					args: {
-						"user": frm.doc.name
-					}
-				});
-			}, __("Password"));
+			if (frappe.session.user == doc.name || frappe.user.has_role("System Manager")) {
+				frm.add_custom_button(__("Reset OTP Secret"), function() {
+					frappe.call({
+						method: "frappe.twofactor.reset_otp_secret",
+						args: {
+							"user": frm.doc.name
+						}
+					});
+				}, __("Password"));
+			}
 
 			frm.trigger('enabled');
 
diff --git a/frappe/twofactor.py b/frappe/twofactor.py
index 55c27e2bac..26fc3ad619 100644
--- a/frappe/twofactor.py
+++ b/frappe/twofactor.py
@@ -461,33 +461,35 @@ def disable():
 
 @frappe.whitelist()
 def reset_otp_secret(user):
+	if frappe.session.user != user:
+		frappe.only_for("System Manager", message=True)
+
 	otp_issuer = frappe.db.get_value("System Settings", "System Settings", "otp_issuer_name")
 	user_email = frappe.db.get_value("User", user, "email")
-	if frappe.session.user in ["Administrator", user]:
-		frappe.defaults.clear_default(user + "_otplogin")
-		frappe.defaults.clear_default(user + "_otpsecret")
-		email_args = {
-			"recipients": user_email,
-			"sender": None,
-			"subject": _("OTP Secret Reset - {0}").format(otp_issuer or "Frappe Framework"),
-			"message": _(
-				"<p>Your OTP secret on {0} has been reset. If you did not perform this reset and did not request it, please contact your System Administrator immediately.</p>"
-			).format(otp_issuer or "Frappe Framework"),
-			"delayed": False,
-			"retry": 3,
-		}
-		enqueue(
-			method=frappe.sendmail,
-			queue="short",
-			timeout=300,
-			event=None,
-			is_async=True,
-			job_name=None,
-			now=False,
-			**email_args,
-		)
-		return frappe.msgprint(
-			_("OTP Secret has been reset. Re-registration will be required on next login.")
-		)
-	else:
-		return frappe.throw(_("OTP secret can only be reset by the Administrator."))
+
+	frappe.defaults.clear_default(user + "_otplogin")
+	frappe.defaults.clear_default(user + "_otpsecret")
+
+	email_args = {
+		"recipients": user_email,
+		"sender": None,
+		"subject": _("OTP Secret Reset - {0}").format(otp_issuer or "Frappe Framework"),
+		"message": _(
+			"<p>Your OTP secret on {0} has been reset. If you did not perform this reset and did not request it, please contact your System Administrator immediately.</p>"
+		).format(otp_issuer or "Frappe Framework"),
+		"delayed": False,
+		"retry": 3,
+	}
+
+	enqueue(
+		method=frappe.sendmail,
+		queue="short",
+		timeout=300,
+		event=None,
+		is_async=True,
+		job_name=None,
+		now=False,
+		**email_args,
+	)
+
+	frappe.msgprint(_("OTP Secret has been reset. Re-registration will be required on next login."))