From c9f2ae6f58fe6c57e5dbc4057bd920f4fd8d8a4d Mon Sep 17 00:00:00 2001
From: zero-24 <zero-24@users.noreply.github.com>
Date: Sun, 30 Aug 2020 22:36:55 +0200
Subject: [PATCH 1/2] implement 2fa enforcment per usergroup

---
 administrator/components/com_users/config.xml | 10 +++++++++
 administrator/language/en-GB/com_users.ini    |  1 +
 libraries/src/Application/CMSApplication.php  | 21 ++++++++++++++++---
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/administrator/components/com_users/config.xml b/administrator/components/com_users/config.xml
index 78038fdb4bdc8..0b3eb801a3919 100644
--- a/administrator/components/com_users/config.xml
+++ b/administrator/components/com_users/config.xml
@@ -123,6 +123,16 @@
 			<option value="3">COM_USERS_CONFIG_FIELD_ENFORCE_2FA_FIELD_BOTH</option>
 		</field>
 
+		<field
+			name="enforce_2fa_usergroups"
+			type="usergrouplist"
+			label="COM_USERS_CONFIG_FIELD_ENFORCE_2FA_GROUPS_LABEL"
+			multiple="true"
+			filter="int_array"
+			size="10"
+			showon="enforce_2fa_options!:0"
+		/>
+
 	</fieldset>
 
 	<fieldset
diff --git a/administrator/language/en-GB/com_users.ini b/administrator/language/en-GB/com_users.ini
index 1114a9011121c..4057c94cd88b5 100644
--- a/administrator/language/en-GB/com_users.ini
+++ b/administrator/language/en-GB/com_users.ini
@@ -35,6 +35,7 @@ COM_USERS_CONFIG_FIELD_ENFORCE_2FA_FIELD_ADMIN="Admin (Backend)"
 COM_USERS_CONFIG_FIELD_ENFORCE_2FA_FIELD_BOTH="Both"
 COM_USERS_CONFIG_FIELD_ENFORCE_2FA_FIELD_LABEL="Enforce Two Factor Authentication"
 COM_USERS_CONFIG_FIELD_ENFORCE_2FA_FIELD_SITE="Site (Frontend)"
+COM_USERS_CONFIG_FIELD_ENFORCE_2FA_GROUPS_LABEL="Enforce Two Factor Authentication for Usergroups"
 COM_USERS_CONFIG_FIELD_FRONTEND_LANG_LABEL="Frontend Language"
 COM_USERS_CONFIG_FIELD_FRONTEND_RESET_COUNT_LABEL="Maximum Reset Count"
 COM_USERS_CONFIG_FIELD_FRONTEND_RESET_TIME_LABEL="Reset Time"
diff --git a/libraries/src/Application/CMSApplication.php b/libraries/src/Application/CMSApplication.php
index afc3c3f3c3c87..cd1b5d58a497e 100644
--- a/libraries/src/Application/CMSApplication.php
+++ b/libraries/src/Application/CMSApplication.php
@@ -1172,9 +1172,9 @@ public function isCli()
 	 */
 	protected function isTwoFactorAuthenticationRequired(): bool
 	{
-		$userId = $this->getIdentity()->id;
+		$user = $this->getIdentity();
 
-		if (!$userId)
+		if (!$user->id)
 		{
 			return false;
 		}
@@ -1185,7 +1185,22 @@ protected function isTwoFactorAuthenticationRequired(): bool
 			return false;
 		}
 
-		$enforce2faOptions = ComponentHelper::getComponent('com_users')->getParams()->get('enforce_2fa_options', 0);
+		$comUsersParams = ComponentHelper::getComponent('com_users')->getParams();
+
+		// Chech whether we for 2fa for the logged in user.
+		$forced2faGroups = (array) $comUsersParams->get('enforce_2fa_usergroups', []);
+
+		if (!empty($forced2faGroups))
+		{
+			$userGroups = (array) $user->get('groups', []);
+
+			if (!array_intersect($forced2faGroups, $userGroups))
+			{
+				return false;
+			}
+		}
+
+		$enforce2faOptions = $comUsersParams->get('enforce_2fa_options', 0);
 
 		if ($enforce2faOptions == 0 || !$enforce2faOptions)
 		{

From 59cbdd4a305e9046481ffe4fa053cfceb1bc3502 Mon Sep 17 00:00:00 2001
From: Tobias Zulauf <zero-24@users.noreply.github.com>
Date: Mon, 31 Aug 2020 16:52:22 +0200
Subject: [PATCH 2/2] Update libraries/src/Application/CMSApplication.php

Co-authored-by: Quy <quy@fluxbb.org>
---
 libraries/src/Application/CMSApplication.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libraries/src/Application/CMSApplication.php b/libraries/src/Application/CMSApplication.php
index cd1b5d58a497e..dc0200e528ea7 100644
--- a/libraries/src/Application/CMSApplication.php
+++ b/libraries/src/Application/CMSApplication.php
@@ -1187,7 +1187,7 @@ protected function isTwoFactorAuthenticationRequired(): bool
 
 		$comUsersParams = ComponentHelper::getComponent('com_users')->getParams();
 
-		// Chech whether we for 2fa for the logged in user.
+		// Check if 2fa is enforced for the logged in user.
 		$forced2faGroups = (array) $comUsersParams->get('enforce_2fa_usergroups', []);
 
 		if (!empty($forced2faGroups))