Fix #4841: force 2FA validation when it's required in site level.

Oqtane.Server/Controllers/UserController.cs

@@ -136,7 +136,7 @@ namespace Oqtane.Controllers
                     filtered.PhotoFileId = user.PhotoFileId;
                     filtered.LastLoginOn = user.LastLoginOn;
                     filtered.LastIPAddress = user.LastIPAddress;
-                    filtered.TwoFactorRequired = false;
+                    filtered.TwoFactorRequired = user.TwoFactorRequired;
                     filtered.Roles = user.Roles;
                     filtered.CreatedBy = user.CreatedBy;
                     filtered.CreatedOn = user.CreatedOn;

Oqtane.Server/Managers/UserManager.cs

@@ -339,13 +339,15 @@ namespace Oqtane.Managers
                     user = _users.GetUser(user.Username);
                     if (!user.IsDeleted)
                     {
-                        if (user.TwoFactorRequired)
+                        var alias = _tenantManager.GetAlias();
+                        var twoFactorSetting = _settings.GetSetting(EntityNames.Site, alias.SiteId, "LoginOptions:TwoFactor")?.SettingValue ?? "false";
+                        var twoFactorRequired = twoFactorSetting == "required" || user.TwoFactorRequired;
+                        if (twoFactorRequired)
                         {
                             var token = await _identityUserManager.GenerateTwoFactorTokenAsync(identityuser, "Email");
                             user.TwoFactorCode = token;
                             user.TwoFactorExpiry = DateTime.UtcNow.AddMinutes(10);
                             _users.UpdateUser(user);
-                            var alias = _tenantManager.GetAlias();
                             string siteName = _sites.GetSite(alias.SiteId).Name;
                             string subject = _localizer["TwoFactorEmailSubject"];
                             subject = subject.Replace("[SiteName]", siteName);