redirekt to out/out.Setup2Auth.php if 2-fact-auth isn't setup

make sure user has not been substituted for setting up 2-fact-auth
or password change

inc/inc.Authentication.php

@@ -81,8 +81,10 @@ if (!is_object($user)) {
 	exit;
 }
 
+$origuser = null;
 if($resArr["su"] && $su = $dms->getUser($resArr["su"])) {
 	if($user->isAdmin() || $user->maySwitchToUser($su)) {
+		$origuser = $user;
 		$user = $su;
 	} else {
 		$session->resetSu();
@@ -127,10 +129,10 @@ if(file_exists($settings->_rootDir . "view/".$theme."/languages/" . $lang . "/la
 /* Check if password needs to be changed because it expired. If it needs
  * to be changed redirect to out/out.ForcePasswordChange.php. Do this
  * check only if password expiration is turned on, we are not on the
- * page to change the password or the page that changes the password, and
- * it is not admin */
+ * page to change the password or the page that changes the password, the
+ * current user is not admin, and no user substiation has occured. */
 
-if (!$user->isAdmin()) {
+if (!$user->isAdmin() && $origuser == null) {
 	if($settings->_passwordExpiration > 0) {
 		if(basename($_SERVER['SCRIPT_NAME']) != 'out.ForcePasswordChange.php' && basename($_SERVER['SCRIPT_NAME']) != 'op.EditUserData.php') {
 			$pwdexp = $user->getPwdExpiration();
@@ -145,6 +147,17 @@ if (!$user->isAdmin()) {
 	}
 }
 
+/* Check if secret is set for 2-factor authentication. Redirect to Setup2Factor.php
+ * if secret is not set and 2-factor authentication is turned on. Also check if
+ * already on the page Setup2Factor.php and no user substiation has occured.
+ */
+if($settings->_enable2FactorAuthentication && $origuser == null && $user->getSecret() == '') {
+	if(basename($_SERVER['SCRIPT_NAME']) != 'out.Setup2Factor.php') {
+		header("Location: ../out/out.Setup2Factor.php");
+		exit;
+	}
+}
+
 /* Update cookie lifetime */
 if($settings->_cookieLifetime) {
 	$lifetime = time() + intval($settings->_cookieLifetime);