Fix 2fa code being accessible to user even after it is enabled

Author: Seldaek

src/Controller/UserController.php

@@ -274,6 +274,10 @@ public function enableTwoFactorAuthAction(Request $req, #[VarName('name')] User
             throw $this->createAccessDeniedException('You cannot change this user\'s two-factor authentication settings');
         }
 
+        if ($user->isTotpAuthenticationEnabled()) {
+            throw $this->createAccessDeniedException('Two-factor authentication is already enabled');
+        }
+
         $secret = (string) $req->getSession()->get('2fa_secret') ?: $authenticator->generateSecret();
         // Temporarily store this code on the user, as we'll need it there to generate the
         // QR code and to check the confirmation code.  We won't actually save this change