From d2df7c9a59b97179c93e67ee1403f5303b2cd080 Mon Sep 17 00:00:00 2001
From: Paul Schilling <mail@paulschilling.de>
Date: Tue, 6 Feb 2024 17:03:29 +0100
Subject: [PATCH] [#2076] Fix admin index with 2fa

---
 src/open_inwoner/conf/base.py                    | 15 ++++++++++-----
 src/open_inwoner/utils/django_two_factor_auth.py |  3 +--
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/open_inwoner/conf/base.py b/src/open_inwoner/conf/base.py
index d42be55b01..130ec41f18 100644
--- a/src/open_inwoner/conf/base.py
+++ b/src/open_inwoner/conf/base.py
@@ -480,11 +480,6 @@
     "open_inwoner.accounts.backends.CustomOIDCBackend",
 ]
 
-# Allowing OIDC admins to bypass 2FA
-MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = [
-    "open_inwoner.accounts.backends.CustomOIDCBackend",
-]
-
 
 SESSION_COOKIE_NAME = "open_inwoner_sessionid"
 SESSION_ENGINE = "django.contrib.sessions.backends.cache"
@@ -609,6 +604,11 @@
 ADMIN_INDEX_SHOW_REMAINING_APPS = False
 ADMIN_INDEX_AUTO_CREATE_APP_GROUP = False
 ADMIN_INDEX_SHOW_REMAINING_APPS_TO_SUPERUSERS = False
+ADMIN_INDEX_SHOW_MENU = True
+ADMIN_INDEX_DISPLAY_DROP_DOWN_MENU_CONDITION_FUNCTION = (
+    "open_inwoner.utils.django_two_factor_auth.should_display_dropdown_menu"
+)
+
 
 #
 # DJANGO-AXES (4.0+)
@@ -816,6 +816,11 @@
 TWO_FACTOR_PATCH_ADMIN = False
 TWO_FACTOR_WEBAUTHN_RP_NAME = f"OpenInwoner {ENVIRONMENT}"
 TWO_FACTOR_WEBAUTHN_AUTHENTICATOR_ATTACHMENT = "cross-platform"
+# Allow OIDC admins to bypass 2FA
+MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = [
+    "open_inwoner.accounts.backends.CustomOIDCBackend",
+]
+DISABLE_2FA = config("DISABLE_2FA", default=False)
 
 # file upload limits
 MIN_UPLOAD_SIZE = 1  # in bytes
diff --git a/src/open_inwoner/utils/django_two_factor_auth.py b/src/open_inwoner/utils/django_two_factor_auth.py
index 1e3dc9688b..dcb6a17fe7 100644
--- a/src/open_inwoner/utils/django_two_factor_auth.py
+++ b/src/open_inwoner/utils/django_two_factor_auth.py
@@ -8,8 +8,7 @@
 def should_display_dropdown_menu(request) -> bool:
     default = default_should_display_dropdown_menu(request)
 
-    two_factor_enabled = settings.TWO_FACTOR_PATCH_ADMIN
-    if not two_factor_enabled:
+    if settings.DISABLE_2FA:
         return default
 
     # never display the dropdown in two-factor admin views