Code is not validated if allow_enable_disable is disabled

Created on 22 May 2025, 15 days ago

Problem/Motivation

While testing the module I noticed I could input random code and it would still enable 2FA.

Steps to reproduce

Don't enable the "Allow Users to Enable/Disable 2FA?" option.
Browse to /user/1/2fa and input a random code.

Proposed resolution

This seems to happen because SettingsForm::validateForm() only validates the code if the enable_2fa is checked. But this checkbox is not displayed when allow_enable_disable is disabled.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

2.1

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @prudloff
Comment 10 days ago →
🇷🇺Russia mikhailkrainiuk
Hello!
The patch to fix it. It validates the code if user can enable/disable 2FA and he selected "Enable 2FA", or if 2FA is required for users.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024