Force yubi

app/admin/abuser_lookup.py

@@ -5,6 +5,7 @@ from datetime import datetime
 from typing import Optional, List, Dict
 
 from flask import redirect, url_for, request, flash
+from app.admin.base import _has_valid_admin_time
 from flask_admin import BaseView, expose
 from flask_login import current_user
 
@@ -102,11 +103,17 @@ class AbuserLookupResult:
 
 class AbuserLookupAdmin(BaseView):
     def is_accessible(self):
-        return current_user.is_authenticated and current_user.is_admin
+        return (
+            current_user.is_authenticated
+            and current_user.is_admin
+            and _has_valid_admin_time()
+        )
 
     def inaccessible_callback(self, name, **kwargs):
-        flash("You don't have access to the admin page", "error")
-        return redirect(url_for("dashboard.index", next=request.url))
+        if not current_user.is_authenticated or not current_user.is_admin:
+            flash("You don't have access to the admin page", "error")
+            return redirect(url_for("dashboard.index"))
+        return redirect(url_for("dashboard.enter_admin", next=request.url))
 
     @expose("/", methods=["GET", "POST"])
     def index(self):

app/admin/base.py

@@ -8,6 +8,7 @@ from flask_login import current_user
 from markupsafe import Markup
 from time import time
 
+from app import config
 from app import models
 from app.models import AdminAuditLog, AuditLogActionEnum
 
@@ -15,16 +16,16 @@ _ADMIN_GAP = 900
 
 
 def _has_valid_admin_time() -> bool:
-    from app.config import ADMIN_FIDO_REQUIRED
-
-    if ADMIN_FIDO_REQUIRED == "none":
+    if config.ADMIN_FIDO_REQUIRED == "none":
         return True
     admin_time = session.get("admin_time")
     if not admin_time:
         return False
     if (time() - int(admin_time)) > _ADMIN_GAP:
         return False
-    if ADMIN_FIDO_REQUIRED == "hardware" and not session.get("admin_hardware_auth"):
+    if config.ADMIN_FIDO_REQUIRED == "hardware" and not session.get(
+        "admin_hardware_auth"
+    ):
         return False
     return True
 

app/admin/custom_domain_search.py

@@ -4,6 +4,7 @@ from typing import Optional, List
 
 import arrow
 from flask import redirect, url_for, request, flash
+from app.admin.base import _has_valid_admin_time
 from flask_admin import BaseView, expose
 from flask_login import current_user
 
@@ -205,11 +206,17 @@ class CustomDomainSearchHelpers:
 
 class CustomDomainSearchAdmin(BaseView):
     def is_accessible(self):
-        return current_user.is_authenticated and current_user.is_admin
+        return (
+            current_user.is_authenticated
+            and current_user.is_admin
+            and _has_valid_admin_time()
+        )
 
     def inaccessible_callback(self, name, **kwargs):
-        flash("You don't have access to the admin page", "error")
-        return redirect(url_for("dashboard.index", next=request.url))
+        if not current_user.is_authenticated or not current_user.is_admin:
+            flash("You don't have access to the admin page", "error")
+            return redirect(url_for("dashboard.index"))
+        return redirect(url_for("dashboard.enter_admin", next=request.url))
 
     @expose("/", methods=["GET"])
     def index(self):

app/admin/email_search.py

@@ -4,6 +4,7 @@ from typing import Optional, List
 
 import arrow
 from flask import redirect, url_for, request, flash
+from app.admin.base import _has_valid_admin_time
 from flask_admin import BaseView, expose
 from flask_login import current_user
 from sqlalchemy.orm import joinedload
@@ -638,12 +639,17 @@ class EmailSearchHelpers:
 
 class EmailSearchAdmin(BaseView):
     def is_accessible(self):
-        return current_user.is_authenticated and current_user.is_admin
+        return (
+            current_user.is_authenticated
+            and current_user.is_admin
+            and _has_valid_admin_time()
+        )
 
     def inaccessible_callback(self, name, **kwargs):
-        # redirect to login page if user doesn't have access
-        flash("You don't have access to the admin page", "error")
-        return redirect(url_for("dashboard.index", next=request.url))
+        if not current_user.is_authenticated or not current_user.is_admin:
+            flash("You don't have access to the admin page", "error")
+            return redirect(url_for("dashboard.index"))
+        return redirect(url_for("dashboard.enter_admin", next=request.url))
 
     @expose("/", methods=["GET", "POST"])
     def index(self):

app/config.py

@@ -714,6 +714,7 @@ USE_RUST_PGP = "USE_RUST_PGP" in os.environ
 SMTP_SIZE_LIMIT = int(os.environ.get("SMTP_SIZE_LIMIT", 41943040))  # 40MiB
 
 PARTNER_SUPPORT_URL = os.environ.get("PARTNER_SUPPORT_URL", None)
+
 ADMIN_FIDO_REQUIRED = os.environ.get("ADMIN_FIDO_REQUIRED", "none")
 if ADMIN_FIDO_REQUIRED not in ("none", "any", "hardware"):
     raise ValueError("ADMIN_FIDO_REQUIRED is not a valid value")