Document when to use the NoTwoFactorRequired annotation

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2026-01-02 17:59:36 +07:00 · 2022-11-14 18:12:05 +01:00
parent ee694e4c19
commit dcd9079cd3
1 changed files with 3 additions and 1 deletions
--- a/developer_manual/basics/controllers.rst
+++ b/developer_manual/basics/controllers.rst
@@ -770,6 +770,7 @@ By default every controller method enforces the maximum security, which is:

 * Ensure that the user is admin
 * Ensure that the user is logged in
+* Ensure that the user has passed the two-factor challenge, if applicable
 * Check the CSRF token

 Most of the time though it makes sense to also allow normal users to access the page and the PageController->index() method should not check the CSRF token because it has not yet been sent to the client and because of that can't work.
@@ -777,8 +778,9 @@ Most of the time though it makes sense to also allow normal users to access the
 To turn off checks the following *Annotations* can be added before the controller:

 * **@NoAdminRequired**: Also users that are not admins can access the page
-* **@NoCSRFRequired**: Don't check the CSRF token (use this wisely since you might create a security hole; to understand what it does see `CSRF in the security section <../prologue/security.html#cross-site-request-forgery>`__)
 * **@PublicPage**: Everyone can access the page without having to log in
+* **@NoTwoFactorRequired**: A user can access the page before the two-factor challenge has been passed (use this wisely and only in two-factor auth apps, e.g. to allow setup during login)
+* **@NoCSRFRequired**: Don't check the CSRF token (use this wisely since you might create a security hole; to understand what it does see `CSRF in the security section <../prologue/security.html#cross-site-request-forgery>`__)

 A controller method that turns off all checks would look like this: