fix Bug 65277

web/ASC.Web.Api/Api/Settings/TfaappController.cs

@@ -47,6 +47,7 @@ public class TfaappController : BaseSettingsController
     private readonly InstanceCrypto _instanceCrypto;
     private readonly Signature _signature;
     private readonly SecurityContext _securityContext;
+    private readonly TenantManager _tenantManager;
 
     public TfaappController(
         MessageService messageService,
@@ -69,7 +70,8 @@ public TfaappController(
         InstanceCrypto instanceCrypto,
         Signature signature,
         SecurityContext securityContext,
-        IHttpContextAccessor httpContextAccessor) : base(apiContext, memoryCache, webItemManager, httpContextAccessor)
+        IHttpContextAccessor httpContextAccessor,
+        TenantManager tenantManager) : base(apiContext, memoryCache, webItemManager, httpContextAccessor)
     {
         _smsProviderManager = smsProviderManager;
         _messageService = messageService;
@@ -88,6 +90,7 @@ public TfaappController(
         _instanceCrypto = instanceCrypto;
         _signature = signature;
         _securityContext = securityContext;
+        _tenantManager = tenantManager;
     }
 
     /// <summary>
@@ -435,6 +438,11 @@ public async Task<object> TfaAppNewAppAsync(TfaRequestsDto inDto)
             throw new SecurityAccessDeniedException(Resource.ErrorAccessDenied);
         }
 
+        if (!isMe && _tenantManager.GetCurrentTenant().OwnerId != _authContext.CurrentAccount.ID)
+        {
+            throw new SecurityAccessDeniedException(Resource.ErrorAccessDenied);
+        }
+
         if (!_tfaAppAuthSettingsHelper.IsVisibleSettings || !await TfaAppUserSettings.EnableForUserAsync(_settingsManager, user.Id))
         {
             throw new Exception(Resource.TfaAppNotAvailable);