Contrib.social

Inform admin that role does not have permission to setup own tfa

Open on Drupal.org →
Created on 4 February 2023, almost 2 years ago
Updated 10 September 2023, about 1 year ago

I've installed Drupal 10.0.3 and installed & setup the 2FA plugin

	vendor/bin/drush status | egrep "Drupal version"
		Drush version    : 11.4.0

	composer require 'drupal/tfa:2.x-dev@dev'
	composer show | grep tfa
		drupal/tfa      dev-2.x 2f92b27 Pluggable provider of two factor authenticatio...

tfa config includes usage for 'Authenticated User'

	[X]	Enable TFA
Roles required to set up TFA
	[X]	Authenticated user
	[ ]	Content editor
	[ ]	Administrator
Allowed Validation plugins
	[X]	TFA Time-based one-time password (TOTP)
Default Validation plugin: TFA Time-based one-time password (TOTP)
Number of Accepted Codes: 2
[X]	Use site name as OTP QR code name prefix.
Skip Validation: 1

I created a new authenticated user,

vendor/bin/drush user:create ${_U} --mail="${_E}" --password="${_P}"
vendor/bin/drush  user:information ${_U}
	+---------+-----------+----------------------------+---------------+-------------+
	| User ID | User name | User mail                  | User roles    | User status |
	+---------+-----------+----------------------------+---------------+-------------+
	| 5       | testusr   | testusr@example.com        | authenticated | 1           |
	+---------+-----------+----------------------------+---------------+-------------+

I can login to that authenticated user OK with the credentials I used in the setup.

On site login with that user I'm redirected to

	https://example.com/?check_logged_in=1

which displays

	You are required to setup <two-factor authentication>. You have 0 attempts left. After this you will be unable to login.

Clicking the link redirects to

	https://example.com/user/5/security/tfa

Which displays

	Access denied
	You are not authorized to access this page.

Bug? Or missing a needed grant of access ?

<!--break-->
📌 Task
Status

Fixed

Version

2.0

Component

Code

Created by

mbkaba22

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @aldev
  • Comment almost 2 years ago
    🇵🇹Portugal jcnventura

    It seems that that your users don't have the "setup own tfa" permission. I do agree that maybe that permission should be granted by default to all existing roles at the time of installing the site, as it makes little sense to block users from setting up their own TFA.

  • Comment almost 2 years ago
    🇺🇸United States greggles Denver, Colorado, USA

    I think it should be granted to roles manually so maybe documentation makes the most sense to try to improve this situation.

    The use case is that admins on a site should have TFA, but the UX and extra security are not appropriate for the typical end-user roles.

  • Comment almost 2 years ago
    🇵🇹Portugal jcnventura

    Still, if a user's role makes it mandatory for them to have TFA, they should be granted access to the per-user TFA settings.. The access check should maybe take into account both the "setup own tfa" permission and the "Roles required to set up TFA".

  • Comment almost 2 years ago
    🇺🇸United States greggles Denver, Colorado, USA

    That makes sense to me to harmonize them. Validation on the "roles required" could check that all those roles have the permission.

  • Comment over 1 year ago
    🇮🇳India bhanu951

    Can confirm, on a default installation this issue occurs.

    Granting "setup own tfa" permission to the required role fixed it.

    It would be helpful if we can just display a message after module enabling stating permission need to be explicitly assigned to the roles to setup TFA.

  • Comment over 1 year ago
    🇺🇸United States cmlara

    Still, if a user's role makes it mandatory for them to have TFA, they should be granted access to the per-user TFA settings.. The access check should maybe take into account both the "setup own tfa" permission and the "Roles required to set up TFA".

    While this was indeed my first though when I accidentally ran into this issue the other day I'm not sure we should run under that assumption.

    There is indeed a difference between 'required to have tfa' and 'allowed to make changes to token', just because your required to use TFA doesn't mean your allowed to configure it (though I will admit in most cases this will indeed be true.)

    I'm inclined to think this should indeed be a documentation change and if we want to reduce the support burden add a status indication under each role that is available to be required that "Role does not have access to configure own tokens, see permissions" (with a link to the Drupal permissions page) this somewhat tracks with the suggestion from #6

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.0.7 + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    21 pass
  • @cmlara opened merge request.
  • Comment over 1 year ago
    🇺🇸United States cmlara

    Opened MR based on my suggetions in #6 for the SettingsForm to make it more apparent that the "setup own tfa" permission is often necessary.

    The remainder of this issue regarding the messaging that leads the user to the error in the first place is probably best handled in the already open 📌 Users are directed to TFA overview regardless of 'setup own tfa' permission Fixed

  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago
    🇺🇸United States cmlara
  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.x + Environment: PHP 8.1 & MySQL 5.7
    last update about 1 year ago
    21 pass
  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.x + Environment: PHP 8.1 & MySQL 5.7
    last update about 1 year ago
    21 pass
  • Status changed to Fixed about 1 year ago
  • Comment about 1 year ago
    🇺🇸United States cmlara

    Committed to Dev.

    Not currently planning on back-porting to 1.x at this time since it involves from constructor changes for what is essentially a feature.

  • Comment about 1 year ago
    System Message
    • cmlara committed 79ba3bcd on 2.x 
      Issue #3339277 by cmlara, Bhanu951, jcnventura, greggles: Inform admin...
  • Comment about 1 year ago
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024