- Issue created by @jvollebregt-swis
- @jvollebregt-swis opened merge request.
Submitted an MR to fix it. I'm also uploading a patch file of the MR for 2.x and one for 1.x for use with composer-patches (Though they're the same code, the line numbers changed)
- πΊπΈUnited States cmlara
@jvollebregt-swis do you consider this ready for review or is there other work still to be done?
@cmlara yes this is ready for review, was I supposed to tag this somehow?
- πΊπΈUnited States cmlara
was I supposed to tag this somehow?
Currently under Drupal.org issues are generally marked 'needs review' when ready, although I imagine when D.O. move's to GitLab issues it may just be the presence of a non-draft MR.
Just wanted to validate you were not working on any concerns before I proceed with testing
- πΊπΈUnited States cmlara
When a user has disable own tfa but not administer tfa for other users while viewing another user's TFA page
I'm not able to duplicate having access to another users TFA page unless they have the administer tfa or other users permission.
If you are able to duplicate this scenario it should be rasied as a private security issue for further discussion.
When a user has administer tfa for other users but not disable own tfa while viewing own TFA page
I am able to duplicate this, and attached patch does appear to remove the link.
As noted in IS access is blocked when clicking on the link making the change purely cosmetic.
-
cmlara β
committed df39879f on 2.x authored by
jvollebregt-swis β
Issue #3531309 by jvollebregt-swis: TfaOverviewForm shows "Disable TFA"...
-
cmlara β
committed df39879f on 2.x authored by
jvollebregt-swis β
-
cmlara β
committed 83770a81 on 8.x-1.x
Issue #3531309 by jvollebregt-swis: TfaOverviewForm shows "Disable TFA"...
-
cmlara β
committed 83770a81 on 8.x-1.x
Automatically closed - issue fixed for 2 weeks with no activity.