feat: require 2fa for new user to upload as well

Expand the policy to include file upload actions. Follows pypi#14294 Refs pypi#13762 Signed-off-by: Mike Fiedler <miketheman@gmail.com>
miketheman · Sep 7, 2023 · fd9c7c9 · fd9c7c9
1 parent 2d0e5ae
commit fd9c7c9
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/tests/unit/accounts/test_security_policy.py b/tests/unit/accounts/test_security_policy.py
@@ -776,6 +776,23 @@ def test_deny_manage_projects_without_2fa(self, monkeypatch, policy_class):
         policy = policy_class()
         assert not policy.permits(request, context, "myperm")
 
+    def test_deny_forklift_file_upload_without_2fa(self, monkeypatch, policy_class):
+        monkeypatch.setattr(security_policy, "User", pretend.stub)
+
+        request = pretend.stub(
+            identity=pretend.stub(
+                __principals__=lambda: ["user:5"],
+                has_primary_verified_email=True,
+                has_two_factor=False,
+                date_joined=datetime(2023, 8, 9),
+            ),
+            matched_route=pretend.stub(name="forklift.legacy.file_upload"),
+        )
+        context = pretend.stub(__acl__=[(Allow, "user:5", "myperm")])
+
+        policy = policy_class()
+        assert not policy.permits(request, context, "myperm")
+
     @pytest.mark.parametrize(
         "matched_route",
         [

diff --git a/warehouse/accounts/security_policy.py b/warehouse/accounts/security_policy.py
@@ -332,7 +332,8 @@ def _check_for_mfa(request, context) -> WarehouseDenied | None:
     ]
 
     if (
-        request.matched_route.name.startswith("manage")
+        request.matched_route.name == "forklift.legacy.file_upload"
+        or request.matched_route.name.startswith("manage")
         and request.matched_route.name != "manage.account"
         and not any(
             request.matched_route.name.startswith(route) for route in _exempt_routes