Require verified email to enable 2FA
What does this MR do?
This MR requires that users have a verified email in order to enable 2FA.
How to setup and validate locally (strongly suggested)
Preparation
To prepare your local instance:
Enable the :soft_email_confirmation
feature flag to enable Soft email confirmation. This is the flag that allows users to be logged in without first verifying their email address:
Feature.enable(:soft_email_confirmation)
Enable the :ensure_verified_primary_email_for_2fa
feature flag that is added in this MR:
Feature.enable(:ensure_verified_primary_email_for_2fa)
Admin has to have the instance's Sign-up restrictions set to :
- Allow new sign-ups
- Send confirmation email on sign-up
QA as a user
- Sign up as a new user http://127.0.0.1:3000/users/sign_up
- Visit the user's account settings http://127.0.0.1:3000/-/profile/account
- Click the "enable two-factor authentication" button
- You should be redirected to the user's email settings page with a notice
Does this MR meet the acceptance criteria?
Conformity
- [-] I have included changelog trailers, or none are needed. (Does this MR need a changelog?)
- [-] I have added/updated documentation, or it's not needed. (Is documentation required?)
- [-] I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?)
- [-] I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?)
-
I have self-reviewed this MR per code review guidelines. -
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines) -
I have followed the style guides. -
This change is backwards compatible across updates, or this does not apply.
Availability and Testing
-
I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.) - [-] I have tested this MR in all supported browsers, or it's not needed.
- [-] I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.
Related to #35102 (closed)
Edited by Luke Duncalfe