Admins cannot delete 2fa devices from users they have now common projects with

app/models/principals/scopes/visible.rb

@@ -30,15 +30,19 @@
 
 # Only return Principals that are visible to the current user.
 #
-# Either the user has the `manage_members` permission in any project,
-# or all principals in visible projects are returned.
+# - Users with the global permission `view_all_principals` can see all Principals.
+# - Admins can see all Principals.
+# - Other users can see Principals if:
+#   - they are a member of the same project as the Principal, or
+#   - they are the same user, or
+#   - they share a group with the Principal.
 module Principals::Scopes
   module Visible
     extend ActiveSupport::Concern
 
     class_methods do
       def visible(user = ::User.current)
-        if user.allowed_globally?(:view_all_principals)
+        if user.allowed_globally?(:view_all_principals) || user.admin?
           all
         else
           in_visible_project_or_me_or_same_groups(user)

modules/two_factor_authentication/spec/controllers/two_factor_authentication/users/two_factor_devices_controller_spec.rb

@@ -181,6 +181,36 @@
       end
     end
 
+    describe "#delete_all" do
+      context "with no devices" do
+        it "redirects to the user 2FA tab" do
+          post :delete_all, params: { id: user.id }
+          expect(response).to redirect_to edit_user_path(user, tab: :two_factor_authentication)
+        end
+      end
+
+      context "with existing devices" do
+        let!(:device1) { create(:two_factor_authentication_device_totp, user:, default: true) }
+        let!(:device2) { create(:two_factor_authentication_device_sms, user:, default: false) }
+
+        it "deletes all devices and redirects" do
+          post :delete_all, params: { id: user.id }
+          expect(response).to redirect_to edit_user_path(user, tab: :two_factor_authentication)
+          expect(user.otp_devices.reload).to be_empty
+        end
+      end
+
+      context "when admin shares no project or group with the user" do
+        let!(:device) { create(:two_factor_authentication_device_totp, user:, default: true) }
+
+        it "still deletes all devices (regression: User.visible excluded the user)" do
+          post :delete_all, params: { id: user.id }
+          expect(response).to redirect_to edit_user_path(user, tab: :two_factor_authentication)
+          expect(user.otp_devices.reload).to be_empty
+        end
+      end
+    end
+
     describe "#destroy" do
       it "croaks on missing id" do
         delete :destroy, params: { id: user.id, device_id: "1234" }

spec/models/principals/scopes/visible_spec.rb

@@ -110,6 +110,12 @@
       include_examples "sees all principals"
     end
 
+    context "when user is an admin" do
+      current_user { create(:admin, firstname: "current user") }
+
+      include_examples "sees all principals"
+    end
+
     context "when user has no permission" do
       current_user { create(:user, firstname: "current user") }
 

spec/requests/api/v3/user/user_resource_spec.rb

@@ -312,7 +312,7 @@
     context "as locked admin" do
       let(:current_user) { locked_admin }
 
-      it_behaves_like "not found"
+      it_behaves_like "unauthorized access"
     end
 
     context "as non-admin" do