Allow enabling for Admins only

Created on 28 December 2022, almost 2 years ago
Updated 30 January 2023, almost 2 years ago

Problem/Motivation

The Excluded section of the configuration for this module makes the assumption, I guess, that users with high enough permissions don't need to bother with 2 factor authentication, while less privileged users do. But in my case, less privileged users (with just the authenticated role) don't have any power, so we don't require 2fa for them. Meanwhile, admins can do lots of stuff, so we want to ask them to jump through more hoops to log in.

Right now I can exclude certain roles from using 2FA, including the "Authenticated" role. But doing that means anyone with any higher level of permission is also excluded. Essentially, if I exclude the "Authenticated" role I've affectively disabled the module for every logged-in user.

Steps to reproduce

  1. Set up the module to require 2fa with the "Authenticated" user excluded, but all other higher-level permissions enabled.
  2. Log in as a user with a higher role, like an Administrator
  3. See no 2fa prompt

Here's my example setup:

Proposed resolution

There's ambiguity in the "Exclude roles" field that we could clear up by adding another field, and this would also allow us to add logic to force only Admins to use 2fa. Here's my proposed screenshot:

This adds a field that allows users to switch the logic of the "Excluded Roles" field between "Disable Email TFA for users with any of the following roles" which is what the module does now, and "Force Email TFA for users with any of the following roles" which is what I need. I'll add a patch for this in the next comment.

Remaining tasks

Add patch

User interface changes

New field on the Settings page that lets you choose the type of exclusion rules applied by Role. The existing logic will be assumed to be the default, so the module will be backward-compatible even if the config change is undone.

Data model changes

New schema field "role_exclusion_type".

✨ Feature request
Status

Fixed

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States mariacha1

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024