From 18a0eb773489b6d1a72ef8f3ae5bb005a3f0a5fc Mon Sep 17 00:00:00 2001
From: Bouke Haarsma <bouke@webatoom.nl>
Date: Wed, 15 Jan 2014 16:42:07 +0100
Subject: [PATCH] Do not confuse recent two-factor converts

---
 tests/tests.py             | 11 ++++++++++-
 two_factor/views/mixins.py | 10 +++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/tests/tests.py b/tests/tests.py
index 4ada1ad4f..82e35c443 100644
--- a/tests/tests.py
+++ b/tests/tests.py
@@ -319,10 +319,19 @@ def test_unverified_explanation(self):
         self.assertContains(response, 'Enable Two-Factor Authentication',
                             status_code=403)
 
+    def test_unverified_need_login(self):
+        user = User.objects.create_superuser('bouke', None, 'secret')
+        self.client.login(username='bouke', password='secret')
+        user.totpdevice_set.create(name='default')
+        url = '/secure/'
+        response = self.client.get(url)
+        redirect_to = '%s?%s' % (settings.LOGIN_URL, urlencode({'next': url}))
+        self.assertRedirects(response, redirect_to)
+
     def test_verified(self):
         user = User.objects.create_superuser('bouke', None, 'secret')
         self.client.login(username='bouke', password='secret')
-        device = user.totpdevice_set.create()
+        device = user.totpdevice_set.create(name='default')
         session = self.client.session
         session[DEVICE_ID_SESSION_KEY] = device.persistent_id
         session.save()
diff --git a/two_factor/views/mixins.py b/two_factor/views/mixins.py
index 21d9a20fc..eb5f96a33 100644
--- a/two_factor/views/mixins.py
+++ b/two_factor/views/mixins.py
@@ -1,4 +1,5 @@
 from django.template.response import TemplateResponse
+from two_factor.utils import default_device
 
 try:
     from urllib.parse import urlencode
@@ -64,7 +65,14 @@ def get_verification_url(self):
         return self.verification_url and str(self.verification_url)
 
     def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_authenticated():
+        if not request.user.is_authenticated() or \
+                (not request.user.is_verified() and default_device(request.user)):
+            # If the user has not authenticated raise or redirect to the login
+            # page. Also if the user just enabled two-factor authentication and
+            # has not yet logged in since should also have the same result. If
+            # the user receives a 'you need to enable TFA' by now, he gets
+            # confuses as TFA has just been enabled. So we either raise or
+            # redirect to the login page.
             if self.raise_anonymous:
                 raise PermissionDenied()
             else: