chore: Add PR's requested changes

matiasperrone-exo · Copilot · matiasperrone-exo · commit 823bfd09397d · 2026-04-27T20:36:55.000Z
Co-authored-by: Copilot &lt;copilot@github.com&gt;
diff --git a/app/libs/Auth/Models/User.php b/app/libs/Auth/Models/User.php
@@ -2473,7 +2473,13 @@ public function setTwoFactorEnforcedAt(?\DateTime $at): void
      */
     public function shouldRequire2FA(): bool
     {
-        return ($this->isAdmin() || (bool) $this->two_factor_enabled);
+        $enforcedGroups = config('two_factor.enforced_groups', []);
+        foreach ($enforcedGroups as $slug) {
+            if ($this->belongToGroup($slug)) {
+                return true;
+            }
+        }
+        return (bool) $this->two_factor_enabled;
     }
 
     /**
diff --git a/tests/unit/UserTwoFactorTest.php b/tests/unit/UserTwoFactorTest.php
@@ -83,25 +83,34 @@ public function testShouldRequire2FA_adminUser(): void
         $this->assertTrue($user->shouldRequire2FA());
     }
 
-    public function testShouldRequire2FA_oauth2AdminUser(): void
+    public function testShouldRequire2FA_BelongsToAnEnforcedGroup(): void
     {
-        // Guard against the gotcha: shouldRequire2FA() must look at the full
-        // config('two_factor.enforced_groups') list, not just call isAdmin().
-        $user = new User();
-        $this->assignGroups($user, [$this->buildGroup(IGroupSlugs::AdminGroup)]);
+        config(['two_factor.enforced_groups' => []]);
+        $this->assertSame([], config('two_factor.enforced_groups'), "Config value 'two_factor.enforced_groups' is set");
 
-        $this->assertTrue($user->isAdmin(), IGroupSlugs::AdminGroup.' is an admin group per isAdmin()');
-        $this->assertTrue($user->shouldRequire2FA());
+        $groups = [
+            IGroupSlugs::SuperAdminGroup,
+            IGroupSlugs::AdminGroup,
+            IGroupSlugs::OAuth2ServerAdminGroup,
+        ];
+        config(['two_factor.enforced_groups' => $groups]);
+        $this->assertSame($groups, config('two_factor.enforced_groups'), "Config value 'two_factor.enforced_groups' is set");
 
         $user = new User();
-        $this->assignGroups($user, [$this->buildGroup(IGroupSlugs::SuperAdminGroup)]);
-        $this->assertTrue($user->isAdmin(), IGroupSlugs::SuperAdminGroup.' is an admin group per isAdmin()');
-        $this->assertTrue($user->shouldRequire2FA());
+        $this->assertFalse($user->shouldRequire2FA(), "The user does not belong to any enforced group");
+
 
+        $this->assignGroups($user, array_map([$this, 'buildGroup'], $groups));
+        $this->assertTrue($user->belongToGroup(IGroupSlugs::SuperAdminGroup), "The user belongs to ".IGroupSlugs::SuperAdminGroup." group");
+        $this->assertTrue($user->belongToGroup(IGroupSlugs::AdminGroup), "The user belongs to ".IGroupSlugs::AdminGroup." group");
+        $this->assertTrue($user->belongToGroup(IGroupSlugs::OAuth2ServerAdminGroup), "The user belongs to ".IGroupSlugs::OAuth2ServerAdminGroup." group");
+        $this->assertTrue($user->shouldRequire2FA(), "The user does belong to an enforced group");
+
+        $groups = [IGroupSlugs::RawUsersGroup];
         $user = new User();
-        $this->assignGroups($user, [$this->buildGroup(IGroupSlugs::OAuth2ServerAdminGroup)]);
-        $this->assertFalse($user->isAdmin(), IGroupSlugs::OAuth2ServerAdminGroup.' is NOT an admin group per isAdmin()');
-        $this->assertFalse($user->shouldRequire2FA());
+        $this->assertFalse($user->shouldRequire2FA(), "The user does not belong to any enforced group");
+        $this->assignGroups($user, array_map([$this, 'buildGroup'], $groups));
+        $this->assertFalse($user->shouldRequire2FA(), "The user does not belong to any enforced group");
     }
 
     public function testShouldRequire2FA_regularUser_enabled(): void
@@ -200,6 +209,29 @@ public function testSetTwoFactorMethod_invalidMethod_throws(): void
         $setter->invoke($user, 'bogus');
     }
 
+    public function testShouldRequire2FA_configDrivenEnforcement(): void
+    {
+        // Users in enforced_groups must require 2FA even if two_factor_enabled=false
+        // and even if isAdmin() returns false for their group (OAuth2/OpenId admins).
+        $groupsUnderTest = [
+            IGroupSlugs::OAuth2ServerAdminGroup,
+            IGroupSlugs::OpenIdServerAdminsGroup,
+        ];
+
+        foreach ($groupsUnderTest as $groupSlug) {
+            $user = new User();
+            $this->assignGroups($user, [$this->buildGroup($groupSlug)]);
+            $this->assertFalse($user->isTwoFactorEnabled());
+            $this->assertFalse($user->isAdmin(), "$groupSlug must NOT be covered by isAdmin()");
+            $this->assertTrue($user->shouldRequire2FA(), "$groupSlug is in enforced_groups — shouldRequire2FA() must return true regardless of the stored flag");
+        }
+
+        // Sanity: a regular user with two_factor_enabled=false is NOT enforced
+        $regular = new User();
+        $this->assignGroups($regular, [$this->buildGroup(IGroupSlugs::RawUsersGroup)]);
+        $this->assertFalse($regular->shouldRequire2FA());
+    }
+
     public function testShouldRequire2FA_emptyEnforcedGroups_fallsThroughToFlag(): void
     {
         // Locks in the config fall-through: when enforced_groups is empty,

Original file line number	Diff line number	Diff line change
`@@ -2473,7 +2473,13 @@ public function setTwoFactorEnforcedAt(?\DateTime $at): void`
`2473`	`2473`	`*/`
`2474`	`2474`	`public function shouldRequire2FA(): bool`
`2475`	`2475`	`{`
`2476`		`- return ($this->isAdmin() \|\| (bool) $this->two_factor_enabled);`
	`2476`	`+ $enforcedGroups = config('two_factor.enforced_groups', []);`
	`2477`	`+ foreach ($enforcedGroups as $slug) {`
	`2478`	`+ if ($this->belongToGroup($slug)) {`
	`2479`	`+ return true;`
	`2480`	`+ }`
	`2481`	`+ }`
	`2482`	`+ return (bool) $this->two_factor_enabled;`
`2477`	`2483`	`}`
`2478`	`2484`
`2479`	`2485`	`/**`