support user features restrictions

pkg/api/twofactor_authorizations.go

@@ -81,6 +81,10 @@ func (a *TwoFactorAuthorizationsApi) TwoFactorEnableRequestHandler(c *core.WebCo
 		return nil, errs.ErrUserNotFound
 	}
 
+	if user.FeatureRestriction.Contains(models.USER_FEATURE_RESTRICTION_TYPE_ENABLE_2FA) {
+		return nil, errs.ErrNotPermittedToPerformThisAction
+	}
+
 	key, err := a.twoFactorAuthorizations.GenerateTwoFactorSecret(c, user)
 
 	if err != nil {
@@ -141,6 +145,10 @@ func (a *TwoFactorAuthorizationsApi) TwoFactorEnableConfirmHandler(c *core.WebCo
 		return nil, errs.ErrUserNotFound
 	}
 
+	if user.FeatureRestriction.Contains(models.USER_FEATURE_RESTRICTION_TYPE_ENABLE_2FA) {
+		return nil, errs.ErrNotPermittedToPerformThisAction
+	}
+
 	twoFactorSetting := &models.TwoFactor{
 		Uid:    uid,
 		Secret: confirmReq.Secret,
@@ -229,6 +237,10 @@ func (a *TwoFactorAuthorizationsApi) TwoFactorDisableHandler(c *core.WebContext)
 		return nil, errs.ErrUserNotFound
 	}
 
+	if user.FeatureRestriction.Contains(models.USER_FEATURE_RESTRICTION_TYPE_DISABLE_2FA) {
+		return nil, errs.ErrNotPermittedToPerformThisAction
+	}
+
 	if !a.users.IsPasswordEqualsUserPassword(disableReq.Password, user) {
 		return nil, errs.ErrUserPasswordWrong
 	}