TFA prevents Devel switch user

Created on 26 May 2019, over 5 years ago
Updated 1 November 2023, about 1 year ago

When TFA and Devel are enabled and I want to switch to another user, I am presented the login screen. Logging in does not perform the switch.

πŸ› Bug report
Status

Closed: works as designed

Version

2.0

Component

Code

Created by

πŸ‡³πŸ‡±Netherlands edvanleeuwen Waalwijk

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡ΈπŸ‡°Slovakia poker10

    If the destination account is TFA protected, I think this is Works as designed, because the TFA is meant as a protection. If we allow to skip TFA some way, it can be also considered as a vulnerability (access bypass).

  • πŸ‡¬πŸ‡§United Kingdom mustanggb Coventry, United Kingdom

    Urrm no, the point of administrators having access to user switching is to bypass access checks, otherwise they could just login normally.

  • πŸ‡¬πŸ‡§United Kingdom mustanggb Coventry, United Kingdom

    If anyone is still interested I've grabbed a snippet of code from a custom module, at least might give you a starting point if you wished to implement something like this.

    /**
     * Implements hook_menu_site_status_alter().
     */
    function MODULE_menu_site_status_alter(&$menu_site_status, $path) {
      // Before a switch user take note of the original user.
      if (substr($path, 0, 12) === 'devel/switch') {
        global $user;
        global $original_user;
        $original_user = $user;
      }
    }
    
    /**
     * Implements hook_user_login().
     */
    function MODULE_user_login(&$edit, $account) {
      // After a switch user bypass TFA.
      global $original_user;
      if (!empty($original_user)) {
        $_SESSION['tfa'][$account->uid]['login'] = TRUE;
      }
    }
    
  • πŸ‡ΈπŸ‡°Slovakia poker10

    Thanks for the snippet @MustangGB!

    Yes, switching is intended to skip the standard user login and it is access bypass. But if an admin deploys a module to harden user autentication, then I think it is questionable, if there still should be similar ways to skip this entirely.

    On the other hand, the maintainers of Devel unfortunatelly made the 7.x branch unsupported, so doing any official changes just to allow certain functionality of an unsupported module to work is at least debatable.

Production build 0.71.5 2024