Previously, we did not allow setting `enforce_second_factor` to
`all` if any social/external auth providers were enabled for the
site. This was inconsistent, as you could still set it to `staff`,
and lead to a bad experience where since the users were forced to
enable 2FA, they were no longer able to use their social login.
This commit changes things so that:
* If a user only has social/external auth, they will not have 2FA
enforced even if it is set to all/staff
* We no longer disallow turning on `enforce_second_factor` if
social/external auth is configured for the site
* We update the site setting description for `enforce_second_factor`
to reflect this
This way, site admins can enforce 2FA for people who are using
only local logins, and people using social logins can use
2FA on the external site and not need double-2FA on Discourse.
5d81c2f660