only user with can_use_fido can use fido

2020-05-07 17:58:24 +02:00 · 2020-05-07 17:58:24 +02:00 · 4709237b92
parent 18d62a81d1
commit 4709237b92
2 changed files with 23 additions and 13 deletions
--- a/app/dashboard/templates/dashboard/setting.html
+++ b/app/dashboard/templates/dashboard/setting.html
@ -85,22 +85,25 @@
    </div>
    <!-- END change name & profile picture -->

-    <div class="card">
-      <div class="card-body">
-        <div class="card-title">Security Key (WebAuthn)</div>
-        <div class="mb-3">
-          You can secure your account by linking either your FIDO-supported physical key such as Yubikey, Google Titan,
-          or a device with appropriate hardware to your account.
+    {% if current_user.can_use_fido %}
+      <div class="card">
+        <div class="card-body">
+          <div class="card-title">Security Key (WebAuthn)</div>
+          <div class="mb-3">
+            You can secure your account by linking either your FIDO-supported physical key such as Yubikey, Google
+            Titan,
+            or a device with appropriate hardware to your account.
+          </div>
+          {% if current_user.fido_uuid is none %}
+            <a href="{{ url_for('dashboard.fido_setup') }}" class="btn btn-outline-primary">Setup WebAuthn</a>
+          {% else %}
+            <a href="{{ url_for('dashboard.fido_cancel') }}" class="btn btn-outline-danger">Disable WebAuthn</a>
+          {% endif %}
        </div>
-        {% if current_user.fido_uuid is none %}
-          <a href="{{ url_for('dashboard.fido_setup') }}" class="btn btn-outline-primary">Setup WebAuthn</a>
-        {% else %}
-          <a href="{{ url_for('dashboard.fido_cancel') }}" class="btn btn-outline-danger">Disable WebAuthn</a>
-        {% endif %}
      </div>
-    </div>
+    {% endif %}

-    <div class="card">
+    <div class="card" id="totp">
      <div class="card-body">
        <div class="card-title">One-Time Password (TOTP)</div>
        <div class="mb-3">
--- a/app/dashboard/views/fido_setup.py
+++ b/app/dashboard/views/fido_setup.py
@ -25,6 +25,13 @@ def fido_setup():
        flash("You have already registered your security key", "warning")
        return redirect(url_for("dashboard.index"))

+    if not current_user.can_use_fido:
+        flash(
+            "This feature is currently in invitation-only beta. Please send us an email if you want to try",
+            "warning",
+        )
+        return redirect(url_for("dashboard.index"))
+
    fido_token_form = FidoTokenForm()

    # Handling POST requests