- πΈπ°Slovakia poker10
If the destination account is TFA protected, I think this is Works as designed, because the TFA is meant as a protection. If we allow to skip TFA some way, it can be also considered as a vulnerability (access bypass).
- π¬π§United Kingdom mustanggb Coventry, United Kingdom
Urrm no, the point of administrators having access to user switching is to bypass access checks, otherwise they could just login normally.
- π¬π§United Kingdom mustanggb Coventry, United Kingdom
If anyone is still interested I've grabbed a snippet of code from a custom module, at least might give you a starting point if you wished to implement something like this.
/** * Implements hook_menu_site_status_alter(). */ function MODULE_menu_site_status_alter(&$menu_site_status, $path) { // Before a switch user take note of the original user. if (substr($path, 0, 12) === 'devel/switch') { global $user; global $original_user; $original_user = $user; } } /** * Implements hook_user_login(). */ function MODULE_user_login(&$edit, $account) { // After a switch user bypass TFA. global $original_user; if (!empty($original_user)) { $_SESSION['tfa'][$account->uid]['login'] = TRUE; } }
- πΈπ°Slovakia poker10
Thanks for the snippet @MustangGB!
Yes, switching is intended to skip the standard user login and it is access bypass. But if an admin deploys a module to harden user autentication, then I think it is questionable, if there still should be similar ways to skip this entirely.
On the other hand, the maintainers of Devel unfortunatelly made the 7.x branch unsupported, so doing any official changes just to allow certain functionality of an unsupported module to work is at least debatable.