Contrib.social

Admin cannot disable TFA for a user

Open on Drupal.org β†’
Created on 13 November 2024, about 1 month ago

Problem/Motivation

We have a set up where two roles are required to have TFA - User admins and Content editors.

User admins are allowed to Administer TFA for other users to reset the TFA when a user has made a mistake during the set up process or have lost access to the second factor.

However due to a bug in the access logic User admins with the Administer TFA for other users permission can't actually reset TFA for other users.

Steps to reproduce

  • create a User admin role with the Set up TFA for account and Administer TFA for other users permissions
  • create a Content editor role with the Set up TFA for account permission
  • set up TFA module with
    • Roles required to set up TFA: User admin, Content editor
    • Allowed Validation plugins: TFA Time-based one-time password (TOTP)
    • Settings for users who have not set up TFA:
      • Skip Validation: 1
      • Redirect users on login to TFA Setup Page: checked
  • create an admin user with the User admin role and set up TFA
  • create an editor user with the Content editor role and set up TFA
  • as an admin user, navigate to the editor user TFA page and click "Disable TFA" link

Expected result

Confirm disabling TFA by entering admin user password.

Actual result

Access denied.

Proposed resolution

Fix the access check on the "tfa.disable" route.

Remaining tasks

  • merge request
  • review
  • merge
πŸ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @RoSk0
  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

    Unfortunately it is impossible to to fix access check only for one route as the same custom access code is used all over.

    Attempted to fix the bug by the smallest possible change.

  • Merge request !98Issue #3487347: Admin cannot disable TFA for a user β†’ (Merged) created by RoSk0
  • Pipeline finished with Success
    about 1 month ago
    Total: 342s
    #338024
  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    High level glance:

    Per πŸ› The "tfa_trusted_browser" plugin does not exist. Needs work we would not want to allow blind admin access to tfa.validation.setup

    For tfa.disable and tfa.plugin.reset
    Cursory glance it is an AND condition between _custom_access and _permission:

    Can we just do 

    -    _permission: 'disable own tfa'
+    _permission: 'disable own tfa+administer tfa for other users'

    Ref: https://www.drupal.org/docs/drupal-apis/routing-system/structure-of-routes β†’

    Resulting Policy: Must validate through _custom_access AND have permission ( "disable own tfa" OR "administer tfa for other users")
    (Unless this is a newer change in policy support? would need to test older core to validate).

  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Thinking further, suggestion from #3 would likely allow admins to disable their own TFA which would be a step too far on the change.

    Looking deeper at the code MR it looks like tfa.validation.setup might still be safe as is (I missed it was an early return).

    This probably primarily just needs the PHPStan warnings fixed, leaving as NW for that.

    I wish we had testing on this, however it seems there is nowhere reliably testing just this code at the moment, making it a bit of an undue burden to make it a condition for allowing through. Will likely want a followup issue to add unit tests for accessSelfOrAdmin().

  • Pipeline finished with Success
    about 1 month ago
    Total: 283s
    #338129
  • Pipeline finished with Running
    about 1 month ago
    #338133
  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡ΏNew Zealand RoSk0 Wellington

    PHPStan should be happy now.

  • Pipeline finished with Success
    about 1 month ago
    Total: 534s
    #338154
  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Visually looks good.

    I want to run through a few rounds of manual testing (validate admins can't disable their own TFA if they don't have the disable self permission, make sure average users can not edit TFA for others, etc) which is going to require me to full lab this adding a slight delay to commit, however I do not foresee any of those manual tests failing.

    Adding manual testing tag to remind myself.

  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡ΏNew Zealand patrickharris

    This MR fixes the problem, and is working nicely for me.

  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Manually tested:
    User with 'setup own tfa' can setup own token.
    User with 'setup own tfa' can not setup tokens for other users.
    User with 'disable own tfa' can disable own token
    User with without 'disable own tfa' can not disable TFA.
    User with 'administer tfa for other users' can admin other users TFA, including disabling TFA.
    User with 'administer tfa for other users' but not 'disable own tfa' can not disable TFA for self.

  • Comment about 1 month ago β†’
    System Message
  • Comment about 1 month ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Committed to dev.

  • Comment about 1 month ago β†’
    System Message
    • cmlara β†’ committed 0b51e685 on 2.x 
      Issue #3487347 by rosk0, cmlara: Admin cannot disable TFA for a user

Co...
  • Comment 16 days ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024