[Update] 修改判断MFA是否全局启用的逻辑，放到User.otp_force_enabled中

apps/users/models/user.py

@@ -14,6 +14,7 @@ from django.utils import timezone
 from django.shortcuts import reverse
 
 from common.utils import get_signer, date_expired_default
+from common.models import Setting
 
 
 __all__ = ['User']
@@ -248,10 +249,13 @@ class User(AbstractUser):
 
     @property
     def otp_enabled(self):
-        return self.otp_level > 0
+        return self.otp_force_enabled or self.otp_level > 0
 
     @property
     def otp_force_enabled(self):
+        mfa_setting = Setting.objects.filter(name='SECURITY_MFA_AUTH').first()
+        if mfa_setting and mfa_setting.cleaned_value:
+            return True
         return self.otp_level == 2
 
     def enable_otp(self):

apps/users/templates/users/user_profile.html

@@ -155,7 +155,7 @@
                                                 <a type="button" class="btn btn-primary btn-xs" style="width: 54px" id=""
                                                    href="
                                                         {% if request.user.otp_enabled and request.user.otp_secret_key %}
-                                                            {% if request.user.otp_force_enabled or mfa_setting %}
+                                                            {% if request.user.otp_force_enabled %}
                                                                 " disabled >{% trans 'Disable' %}
                                                             {% else %}
                                                                 {% url 'users:user-otp-disable-authentication' %}

apps/users/views/login.py

@@ -82,24 +82,17 @@ class UserLoginView(FormView):
     def get_success_url(self):
         user = get_user_or_tmp_user(self.request)
 
-        mfa_setting = Setting.objects.filter(name='SECURITY_MFA_AUTH').first()
-        if mfa_setting and mfa_setting.cleaned_value:
-            if user.otp_enabled and user.otp_secret_key:
-                return reverse('users:login-otp')
-            else:
-                return reverse('users:user-otp-enable-authentication')
-        else:
-            if user.otp_enabled and user.otp_secret_key:
-                # 1,2 & T
-                return reverse('users:login-otp')
-            elif user.otp_enabled and not user.otp_secret_key:
-                # 1,2 & F
-                return reverse('users:user-otp-enable-authentication')
-            elif not user.otp_enabled:
-                # 0 & T,F
-                auth_login(self.request, user)
-                self.write_login_log()
-                return redirect_user_first_login_or_index(self.request, self.redirect_field_name)
+        if user.otp_enabled and user.otp_secret_key:
+            # 1,2 & T
+            return reverse('users:login-otp')
+        elif user.otp_enabled and not user.otp_secret_key:
+            # 1,2 & F
+            return reverse('users:user-otp-enable-authentication')
+        elif not user.otp_enabled:
+            # 0 & T,F
+            auth_login(self.request, user)
+            self.write_login_log()
+            return redirect_user_first_login_or_index(self.request, self.redirect_field_name)
 
     def get_context_data(self, **kwargs):
         context = {

apps/users/views/user.py

@@ -337,7 +337,6 @@ class UserProfileView(LoginRequiredMixin, TemplateView):
 
     def get_context_data(self, **kwargs):
         mfa_setting = Setting.objects.filter(name='SECURITY_MFA_AUTH').first()
-
         context = {
             'action': _('Profile'),
             'mfa_setting': mfa_setting.cleaned_value if mfa_setting else False,