mandatory2fa: fix workflow when using external LDAP

* Always allow the mandatory 2fa setting to be saved
* Show warning for user if they have no 2fa setup and if not external 2fa
* If they get locked out anyway, they have to use CLI tool
* redirect for mandatory 2fa only if not external 2fa as well

dashboard/src/views/user-settings.js

@@ -44,9 +44,6 @@ angular.module('Application').controller('UserSettingsController', ['$scope', '$
         },
 
         submit: function () {
-            // prevent the current user from getting locked out
-            if ($scope.profileConfig.mandatory2FA && !$scope.userInfo.twoFactorAuthenticationEnabled) return Client.notify('', $translate.instant('users.settings.require2FAWarning'), true, 'error', '#/profile');
-
             $scope.profileConfig.error = '';
             $scope.profileConfig.busy = true;
             $scope.profileConfig.success = false;
@@ -68,6 +65,12 @@ angular.module('Application').controller('UserSettingsController', ['$scope', '$
 
                 $timeout(function () {
                     $scope.profileConfig.busy = false;
+
+                    // prevent the current user from getting locked out. if user ignores this, they have to use cloudron-support --admin-login
+                    if ($scope.profileConfig.mandatory2FA && !$scope.userInfo.twoFactorAuthenticationEnabled) {
+                        if ($scope.userInfo.source && $scope.config.external2FA) return; // no need for warning if 2fa is external
+                        Client.notify('', $translate.instant('users.settings.require2FAWarning'), true, 'error', '#/profile');
+                    }
                 }, 500);
             });
         }