Allowing authenticated users access to setup adds misleading message to config form

Created on 3 June 2025, 24 days ago

Problem/Motivation

A message "- Role does not have access to configure own tokens, verify permissions" is shown against all other roles if authenticated user is given 'setup own tfa' permission

Steps to reproduce

  1. Grant 'setup own tfa' to authenticated
  2. Go to /admin/config/people/tfa and check the 'Roles required to set up TFA' list

Proposed resolution

Update message

Remaining tasks

MR

User interface changes

Different message

API changes

N/A

Data model changes

N/A

πŸ› Bug report
Status

Active

Version

2.0

Component

User interface

Created by

πŸ‡¬πŸ‡§United Kingdom scott_euser

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @scott_euser
  • Merge request !143Inherit permissions message β†’ (Merged) created by scott_euser
  • πŸ‡¬πŸ‡§United Kingdom scott_euser

    Before:

    After:

  • πŸ‡¬πŸ‡§United Kingdom scott_euser
  • Pipeline finished with Success
    24 days ago
    Total: 706s
    #513712
  • πŸ‡ΊπŸ‡ΈUnited States cmlara

    Overall looks good.

    There is one small oddity I encountered in a quick validation check.

    If one sets the permission for a role (such as content editor) and then sets the Authenticated user to have the permission the content editor role permission is still present so it will not display the inheritance warning, however at the same time a site owner can not remove the permission from the role as it is inherited.

    While the patch is actually technically more correct as currently written, should we consider performing the inheritance check first and then the hasPermission check for a more consistent UI?

    If we were to do that however I imagine the Administrator role would show as inheriting, is that a better or worse UX than what is currently in the patch?

    Leaving NR for additional feedback.

  • πŸ‡ΊπŸ‡ΈUnited States cmlara

    Since this is more technically accurate and brings up less questions merging as is..

    Can be backported to 8.x-1.x manually (cherry-pick fails)

  • πŸ‡¬πŸ‡§United Kingdom scott_euser

    Thanks, sorry for being a bit slow addressing feedback! Happy to handle the mix of combined inherited + permission.

    Wondering if the UI should become a tableselect like this instead as some of these descriptions are getting rather long. Perhaps this makes it easier to read? I left both on the screen for now to get your preference.

  • πŸ‡ΊπŸ‡ΈUnited States cmlara

    Wondering if the UI should become a tableselect like this instead as some of these descriptions are getting rather long. Perhaps this makes it easier to read?

    That does appear to be easier to read and allow for a nice delineation between the role/description that is otherwise missing. I also like how the role is called out for both.

    +1 from me (based on the screenshot) for the changes to be implemented.

  • πŸ‡¬πŸ‡§United Kingdom scott_euser

    Great thanks, I'll try to get this back to you in the next several days. Thanks!

  • Pipeline finished with Success
    8 days ago
    Total: 327s
    #526759
  • πŸ‡¬πŸ‡§United Kingdom scott_euser

    Was simpler than I expected, seems its a true drop-in replacement element for standard checkboxes element:

Production build 0.71.5 2024