Check user session before displaying two factor seed

Two factor seed page was not properly checking for user session, allowing an authenticated user to see everyone's 2fa seed

src/User/Controller/SettingsController.php

@@ -453,6 +453,10 @@ class SettingsController extends Controller
 
     public function actionTwoFactor($id)
     {
+        if($id != Yii::$app->user->id) {
+            throw new ForbiddenHttpException();
+        } 
+        
         $choice = Yii::$app->request->post('choice');
         /** @var User $user */
         $user = $this->userQuery->whereId($id)->one();