- Issue created by @zebda
- πΊπΈUnited States cmlara
This sounds like the user does not actually have the 'setup own tfa' permission.
Permissions in routing.yml are an AND between_custom_accessand_permission - π³π±Netherlands zebda
But when removing the
_custom_accessallows the user to access the page, I think this proves that the permissions are set. Because the only thing that is checked for the route is the permission 'setup own tfa'. Are am I wrong? - πΊπΈUnited States cmlara
think this proves that the permissions are set.
Good point. That should indeed imply that the permission is set as long as you are on 8.x-1.9 (if your on 8.x1.x-dev we recently changed operations so the access controller performs all the checks π Admin cannot disable TFA for a user Active ).
I'm a bit of a loss here. If you say you see accessSelfOrAdmin returns that access is permitted yet core is refusing the access I wonder if there is some issue upstream or in side-stream.
I haven't explicitly attempted to reproduce this this today, however I'm in that page often as test users for dev work and never seen a problem.
What version of core? Any other modules installed (especially those that apply core new Access Policy API as this changes how core processes permissions)?
- π³π±Netherlands zebda
Yes, my best bet is that another module in combination with TFA is the problem. But I can't see what is doing this. I'm using contributed module
field_permissions. And have some custom modules, usingAccessResultone specifically focussing on user pages. But turning off this module doesn't solve the problem. Is there a better way to debug than just turning modules off one by one?P.s. I'm on 1.9, also tried the dev version but it didn't make any difference.
- π³π±Netherlands zebda
Found it. I finally did went for disabling the modules one by one. And ended up with an access handler in one of my custom modules. Don't understand why it blocked access to the tfa pages but I fixed it.