From 648776780a71288d173141175429f6fff0c38d08 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Fri, 6 Feb 2026 14:31:52 +0100
Subject: [PATCH 1/2] Block adding MFA for user + Fix "disable mfa" button

---
 .../ProfileAuthCard/ProfileAuthCard.tsx       | 50 ++++++++++++-------
 1 file changed, 32 insertions(+), 18 deletions(-)

diff --git a/web/src/pages/user-profile/UserProfilePage/tabs/ProfileDetailsTab/components/ProfileAuthCard/ProfileAuthCard.tsx b/web/src/pages/user-profile/UserProfilePage/tabs/ProfileDetailsTab/components/ProfileAuthCard/ProfileAuthCard.tsx
index 36c514baf2..524a8fc00e 100644
--- a/web/src/pages/user-profile/UserProfilePage/tabs/ProfileDetailsTab/components/ProfileAuthCard/ProfileAuthCard.tsx
+++ b/web/src/pages/user-profile/UserProfilePage/tabs/ProfileDetailsTab/components/ProfileAuthCard/ProfileAuthCard.tsx
@@ -68,7 +68,12 @@ export const ProfileAuthCard = () => {
   });
 
   const { mutate: disableMfaMutation } = useMutation({
-    mutationFn: api.auth.mfa.disable,
+    mutationFn: () => {
+      if (user.username === authUsername) {
+        return api.auth.mfa.disable();
+      }
+      return api.user.disableMfa(user.username);
+    },
     meta: invalidateAfterMfaChange,
   });
 
@@ -101,7 +106,7 @@ export const ProfileAuthCard = () => {
   });
   const emailMenuItems = useMemo(() => {
     const items: MenuItemProps[] = [];
-    if (!user.email_mfa_enabled) {
+    if (!user.email_mfa_enabled && user.username === authUsername) {
       items.push({
         testId: 'enable-email',
         text: m.controls_enable(),
@@ -126,13 +131,14 @@ export const ProfileAuthCard = () => {
     const res: MenuItemsGroup = {
       items,
     };
-    return res;
+    return items.length > 0 ? res : null;
   }, [
     user.email_mfa_enabled,
     mutateDisableEmailMfa,
     mutateSetDefaultMfa,
     user.mfa_method,
     user.username,
+    authUsername,
   ]);
 
   const mfaMenuItems = useMemo(() => {
@@ -174,16 +180,20 @@ export const ProfileAuthCard = () => {
     user.totp_enabled,
     mutateEnableMfa,
     disableMfaMutation,
+    user.username,
+    authUsername,
   ]);
 
   const webauthnMenuItems = useMemo(() => {
     const items: MenuItemProps[] = [];
-    items.push({
-      text: m.profile_auth_card_add_passkey(),
-      icon: 'plus-circle',
-      testId: 'add-passkey',
-      onClick: () => openModal(ModalName.WebauthnSetup),
-    });
+    if (user.username === authUsername) {
+      items.push({
+        text: m.profile_auth_card_add_passkey(),
+        icon: 'plus-circle',
+        testId: 'add-passkey',
+        onClick: () => openModal(ModalName.WebauthnSetup),
+      });
+    }
     if (securityKeys.length) {
       if (user.mfa_method !== UserMfaMethod.Webauthn) {
         items.push({
@@ -199,14 +209,19 @@ export const ProfileAuthCard = () => {
         onClick: () => mutateDisableWebauthn(),
       });
     }
-    return {
-      items,
-    };
-  }, [mutateDisableWebauthn, securityKeys.length, mutateSetDefaultMfa, user.mfa_method]);
+    return items.length > 0 ? { items } : null;
+  }, [
+    mutateDisableWebauthn,
+    securityKeys.length,
+    mutateSetDefaultMfa,
+    user.mfa_method,
+    user.username,
+    authUsername,
+  ]);
 
   const totpMenuItems = useMemo(() => {
     const items: MenuItemProps[] = [];
-    if (!user.totp_enabled) {
+    if (!user.totp_enabled && user.username === authUsername) {
       items.push({
         icon: 'check-circle',
         testId: 'enable-totp',
@@ -231,15 +246,14 @@ export const ProfileAuthCard = () => {
       });
     }
 
-    return {
-      items,
-    };
+    return items.length > 0 ? { items } : null;
   }, [
     mutateDisableTotp,
     user.totp_enabled,
     mutateSetDefaultMfa,
     user.mfa_method,
     user.username,
+    authUsername,
   ]);
 
   return (
@@ -393,7 +407,7 @@ interface FactorRowProps {
   enabled: boolean;
   isDefault: boolean;
   availability: 'sso' | 'both' | 'mfa';
-  menu?: MenuItemsGroup;
+  menu?: MenuItemsGroup | null;
   testId?: string;
 }
 

From 456e968e3784747c61a1784e32d28ea2cd8abadf Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Fri, 6 Feb 2026 14:32:17 +0100
Subject: [PATCH 2/2] lint

---
 .../components/ProfileAuthCard/ProfileAuthCard.tsx              | 2 --
 1 file changed, 2 deletions(-)

diff --git a/web/src/pages/user-profile/UserProfilePage/tabs/ProfileDetailsTab/components/ProfileAuthCard/ProfileAuthCard.tsx b/web/src/pages/user-profile/UserProfilePage/tabs/ProfileDetailsTab/components/ProfileAuthCard/ProfileAuthCard.tsx
index 524a8fc00e..73fe48ac0e 100644
--- a/web/src/pages/user-profile/UserProfilePage/tabs/ProfileDetailsTab/components/ProfileAuthCard/ProfileAuthCard.tsx
+++ b/web/src/pages/user-profile/UserProfilePage/tabs/ProfileDetailsTab/components/ProfileAuthCard/ProfileAuthCard.tsx
@@ -180,8 +180,6 @@ export const ProfileAuthCard = () => {
     user.totp_enabled,
     mutateEnableMfa,
     disableMfaMutation,
-    user.username,
-    authUsername,
   ]);
 
   const webauthnMenuItems = useMemo(() => {