[fix] Disable webdav for users that have 2fa enabled
Maybe I’m mistaken but this doesn’t read like a fix but a fundamental change - until I’m missing something. I use 2FA and I use Webdav and I’m aware that Webdav does not support 2FA.
The best would be if WebDAV would be adjusted to use generated app tokens which can be managed (creation with a name and shown once, deletion) by the user through Seahub.
I have been using 2FA and on updating using WebDAV is diabled. Adding “ENABLE_WEBDAV_SECRET” and then setting up a WebDAV Password under user settings doesn’t make it possible to use 2FA and WebDAV. Checking the code it just looks to see if 2FA is set for the session and user or globally and then denies the authentication request. I still want to use WebDAV so I edited seafile-server-latest/seahub/thirdpart/wsgidav/dc/domain_controller.py and commented the offending lines 76-79. Of course that exposed another problem - if I’m not using SSO having a WebDAV password means that I can use both the WebDAV password and the user password. It really should be one or the other.
I agree that WebDAV and 2FA are incompatible, but there should be a check for the WebDAV password and only use that if available. Of course the WebDAV password is not equivalent to similar “app passwords” that are made once and are assigned to one app - this password is to overcome SSO and allow webdav so it’s one password for all applications. I won’t debate the wisdom in using it or not or whether 2FA and WebDAV should co-exist. It was easy enough for me to remove the code but having 2FA and the WebDAV password would be best.