From e90083020ff523cbcdcdcc8db4558ad8c114eab0 Mon Sep 17 00:00:00 2001
From: Christophe Vandeplas <christophe@vandeplas.com>
Date: Sat, 20 May 2023 10:26:45 +0200
Subject: [PATCH] chg: [security] Require TOTP and QR code lib for TOTP secret
 creation

---
 app/Controller/UsersController.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/Controller/UsersController.php b/app/Controller/UsersController.php
index 6d9a5759e..9c80abe2c 100644
--- a/app/Controller/UsersController.php
+++ b/app/Controller/UsersController.php
@@ -1782,6 +1782,10 @@ class UsersController extends AppController
             $this->Flash->error(__("LinOTP is enabled for this instance. Build-in TOTP should not be used."));
             $this->redirect($this->referer());
         }
+        if (!class_exists('\OTPHP\TOTP') || !class_exists('\BaconQrCode\Writer')) {
+            $this->Flash->error(__("The required PHP libraries to support TOTP are not installed. Please contact your administrator to address this."));
+            $this->redirect($this->referer());
+        }
         // only allow the users themselves to generate a TOTP secret.
         // If TOTP is enforced they will be invited to generate it at first login
         $user = $this->User->find('first', array(