From fd9c7c996287c570812e0e61b2f39d6ec044664b Mon Sep 17 00:00:00 2001
From: Mike Fiedler <miketheman@gmail.com>
Date: Thu, 7 Sep 2023 18:53:37 -0400
Subject: [PATCH] feat: require 2fa for new user to upload as well

Expand the policy to include file upload actions.

Follows #14294
Refs #13762

Signed-off-by: Mike Fiedler <miketheman@gmail.com>
---
 tests/unit/accounts/test_security_policy.py | 17 +++++++++++++++++
 warehouse/accounts/security_policy.py       |  3 ++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/tests/unit/accounts/test_security_policy.py b/tests/unit/accounts/test_security_policy.py
index 32e778dee7dd..90c5ac464719 100644
--- a/tests/unit/accounts/test_security_policy.py
+++ b/tests/unit/accounts/test_security_policy.py
@@ -776,6 +776,23 @@ def test_deny_manage_projects_without_2fa(self, monkeypatch, policy_class):
         policy = policy_class()
         assert not policy.permits(request, context, "myperm")
 
+    def test_deny_forklift_file_upload_without_2fa(self, monkeypatch, policy_class):
+        monkeypatch.setattr(security_policy, "User", pretend.stub)
+
+        request = pretend.stub(
+            identity=pretend.stub(
+                __principals__=lambda: ["user:5"],
+                has_primary_verified_email=True,
+                has_two_factor=False,
+                date_joined=datetime(2023, 8, 9),
+            ),
+            matched_route=pretend.stub(name="forklift.legacy.file_upload"),
+        )
+        context = pretend.stub(__acl__=[(Allow, "user:5", "myperm")])
+
+        policy = policy_class()
+        assert not policy.permits(request, context, "myperm")
+
     @pytest.mark.parametrize(
         "matched_route",
         [
diff --git a/warehouse/accounts/security_policy.py b/warehouse/accounts/security_policy.py
index 5717a767a576..55d119c7aa83 100644
--- a/warehouse/accounts/security_policy.py
+++ b/warehouse/accounts/security_policy.py
@@ -332,7 +332,8 @@ def _check_for_mfa(request, context) -> WarehouseDenied | None:
     ]
 
     if (
-        request.matched_route.name.startswith("manage")
+        request.matched_route.name == "forklift.legacy.file_upload"
+        or request.matched_route.name.startswith("manage")
         and request.matched_route.name != "manage.account"
         and not any(
             request.matched_route.name.startswith(route) for route in _exempt_routes