/**
* Checks if 2fa needs to be enforced
* if so returns true, else returns false
*
* @return boolean
*
* @since 4.0.0
*
* @throws \Exception
*/
protected function isTwoFactorAuthenticationRequired() : bool
{
$user = $this->getIdentity();
if (!$user->id) {
return false;
}
// Check session if user has set up 2fa
if ($this->getSession()->has('has2fa')) {
return false;
}
$comUsersParams = ComponentHelper::getComponent('com_users')->getParams();
// Check if 2fa is enforced for the logged in user.
$forced2faGroups = (array) $comUsersParams->get('enforce_2fa_usergroups', []);
if (!empty($forced2faGroups)) {
$userGroups = (array) $user->get('groups', []);
if (!array_intersect($forced2faGroups, $userGroups)) {
return false;
}
}
$enforce2faOptions = $comUsersParams->get('enforce_2fa_options', 0);
if ($enforce2faOptions == 0 || !$enforce2faOptions) {
return false;
}
if (!PluginHelper::isEnabled('twofactorauth')) {
return false;
}
$pluginsSiteEnable = false;
$pluginsAdministratorEnable = false;
$pluginOptions = PluginHelper::getPlugin('twofactorauth');
// Sets and checks pluginOptions for Site and Administrator view depending on if any 2fa plugin is enabled for that view
array_walk($pluginOptions, static function ($pluginOption) use(&$pluginsSiteEnable, &$pluginsAdministratorEnable) {
$option = new Registry($pluginOption->params);
$section = $option->get('section', 3);
switch ($section) {
case 1:
$pluginsSiteEnable = true;
break;
case 2:
$pluginsAdministratorEnable = true;
break;
case 3:
default:
$pluginsAdministratorEnable = true;
$pluginsSiteEnable = true;
}
});
if ($pluginsSiteEnable && $this->isClient('site')) {
if (\in_array($enforce2faOptions, [1, 3])) {
return !$this->hasUserConfiguredTwoFactorAuthentication();
}
}
if ($pluginsAdministratorEnable && $this->isClient('administrator')) {
if (\in_array($enforce2faOptions, [2, 3])) {
return !$this->hasUserConfiguredTwoFactorAuthentication();
}
}
return false;
}