@paulrudy opened this Issue on March 21st 2019

When visiting self-hosted Matomo installation (with two-factor authentication enabled):

  1. Matomo prompted for login/pass, but did not require 2 factor authentication
  2. Matomo prompted for upgrade
  3. I initiated upgrade and Matomo completed it
  4. An error page—referencing something like a loop. I didn't copy it, sorry.
  5. Browsed back
  6. Matomo showed upgrade successfully completed page
  7. Matomo finally asks for 2 factor authentication

It seems to me 2 factor authentication should be successfully completed before prompting for upgrade and before permitting initiation of upgrade.

@tsteur commented on March 21st 2019 Member

What do you mean by "prompted for upgrade"? We screen to complete the upgrade by executing the updates is shown to anyone AFAIK, even to not logged in users if I remember correctly

@paulrudy commented on March 22nd 2019

Yes, by "prompted for upgrade", I meant the screen showing that an upgrade is available.

Matomo initiated the upgrade once I logged in with password, but it didn't require 2FA. It seems to me that it ought to, if 2FA is enabled, no?

@tsteur commented on April 7th 2019 Member

@paulrudy I can't reproduce it. What I would expect is that it shows the "Please update the database screen". We would show this even to a logged out user if you just updated the codebase. This is done in https://github.com/matomo-org/matomo/pull/13796

After logging in, you can access the update screen though directly by opening eg the URL https://matomo.example.com/index.php?module=CoreUpdater&action=newVersionAvailable .
This we could possibly disallow I think by adjusting the condition to this:
image

@paulrudy commented on April 13th 2019

Sorry for the late reply. Glad my comment was useful, even if I couldn't quite remember accurately.

This Issue was closed on April 10th 2019
Powered by GitHub Issue Mirror