Block enabling force 2FA if local logins disabled & vice-versa (#8355)

config/locales/server.en.yml

@@ -204,6 +204,8 @@ en:
       enable_s3_uploads_is_required: "You cannot enable inventory to S3 unless you've enabled the S3 uploads."
       s3_backup_requires_s3_settings: "You cannot use S3 as backup location unless you've provided the '%{setting_name}'."
       s3_bucket_reused: "You cannot use the same bucket for 's3_upload_bucket' and 's3_backup_bucket'. Choose a different bucket or use a different path for each bucket."
+      second_factor_cannot_be_enforced_with_disabled_local_login: "You cannot enforce 2FA if local logins are disabled."
+      local_login_cannot_be_disabled_if_second_factor_enforced: "You cannot disable local login if 2FA is enforced. Disable enforced 2FA before disabling local logins."
     conflicting_google_user_id: 'The Google Account ID for this account has changed; staff intervention is required for security reasons. Please contact staff and point them to <br><a href="https://meta.discourse.org/t/76575">https://meta.discourse.org/t/76575</a>'
 
   activemodel:

lib/site_settings/validations.rb

@@ -143,6 +143,17 @@ module SiteSettings::Validations
     validate_bucket_setting("s3_backup_bucket", SiteSetting.s3_upload_bucket, new_val)
   end
 
+  def validate_enforce_second_factor(new_val)
+    return if SiteSetting.enable_local_logins
+    validate_error :second_factor_cannot_be_enforced_with_disabled_local_login
+  end
+
+  def validate_enable_local_logins(new_val)
+    return if new_val == "t"
+    return if SiteSetting.enforce_second_factor == "no"
+    validate_error :local_login_cannot_be_disabled_if_second_factor_enforced
+  end
+
   private
 
   def validate_bucket_setting(setting_name, upload_bucket, backup_bucket)

spec/lib/site_settings/validations_spec.rb

@@ -105,4 +105,61 @@ describe SiteSettings::Validations do
       end
     end
   end
+
+  describe "enforce second factor & local login interplay" do
+    describe "#validate_enforce_second_factor" do
+      let(:error_message) { I18n.t("errors.site_settings.second_factor_cannot_be_enforced_with_disabled_local_login") }
+      context "when local logins are disabled" do
+        before do
+          SiteSetting.enable_local_logins = false
+        end
+
+        it "should raise an error" do
+          expect { subject.validate_enforce_second_factor("t") }.to raise_error(Discourse::InvalidParameters, error_message)
+        end
+      end
+
+      context "when local logins are enabled" do
+        before do
+          SiteSetting.enable_local_logins = true
+        end
+
+        it "should be ok" do
+          expect { subject.validate_enforce_second_factor("t") }.not_to raise_error(Discourse::InvalidParameters, error_message)
+        end
+      end
+    end
+
+    describe "#validate_enable_local_logins" do
+      let(:error_message) { I18n.t("errors.site_settings.local_login_cannot_be_disabled_if_second_factor_enforced") }
+
+      context "when the new value is false" do
+        context "when enforce second factor is enabled" do
+          before do
+            SiteSetting.enforce_second_factor = "all"
+          end
+
+          it "should raise an error" do
+            expect { subject.validate_enable_local_logins("f") }.to raise_error(Discourse::InvalidParameters, error_message)
+          end
+        end
+
+        context "when enforce second factor is disabled" do
+          before do
+            SiteSetting.enforce_second_factor = "no"
+          end
+
+          it "should be ok" do
+            expect { subject.validate_enable_local_logins("f") }.not_to raise_error(Discourse::InvalidParameters, error_message)
+          end
+        end
+      end
+
+      context "when the new value is true" do
+        it "should be ok" do
+          expect { subject.validate_enable_local_logins("t") }.not_to raise_error(Discourse::InvalidParameters, error_message)
+        end
+      end
+    end
+  end
 end