Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

require TwoFA to be verified before updating code base #14251

Closed
paulrudy opened this issue Mar 21, 2019 · 4 comments · Fixed by #14322
Closed

require TwoFA to be verified before updating code base #14251

paulrudy opened this issue Mar 21, 2019 · 4 comments · Fixed by #14322
Labels
Bug For errors / faults / flaws / inconsistencies etc.

Comments

@paulrudy
Copy link

When visiting self-hosted Matomo installation (with two-factor authentication enabled):

  1. Matomo prompted for login/pass, but did not require 2 factor authentication
  2. Matomo prompted for upgrade
  3. I initiated upgrade and Matomo completed it
  4. An error page—referencing something like a loop. I didn't copy it, sorry.
  5. Browsed back
  6. Matomo showed upgrade successfully completed page
  7. Matomo finally asks for 2 factor authentication

It seems to me 2 factor authentication should be successfully completed before prompting for upgrade and before permitting initiation of upgrade.
@tsteur
Copy link
Member

tsteur commented Mar 21, 2019

What do you mean by "prompted for upgrade"? We screen to complete the upgrade by executing the updates is shown to anyone AFAIK, even to not logged in users if I remember correctly

@paulrudy
Copy link
Author

Yes, by "prompted for upgrade", I meant the screen showing that an upgrade is available.

Matomo initiated the upgrade once I logged in with password, but it didn't require 2FA. It seems to me that it ought to, if 2FA is enabled, no?

@tsteur
Copy link
Member

tsteur commented Apr 7, 2019

@paulrudy I can't reproduce it. What I would expect is that it shows the "Please update the database screen". We would show this even to a logged out user if you just updated the codebase. This is done in #13796

After logging in, you can access the update screen though directly by opening eg the URL https://matomo.example.com/index.php?module=CoreUpdater&action=newVersionAvailable .
This we could possibly disallow I think by adjusting the condition to this:
image

@tsteur tsteur added the Bug For errors / faults / flaws / inconsistencies etc. label Apr 7, 2019
tsteur added a commit that referenced this issue Apr 7, 2019
@tsteur
require TwoFA to be verified before updating code base
14090a4 
fix #14251
@tsteur tsteur mentioned this issue Apr 7, 2019
Merged
diosmosis pushed a commit that referenced this issue Apr 10, 2019
@tsteur @diosmosis
require TwoFA to be verified before updating code base (#14322)
65b5523 
* require TwoFA to be verified before updating code base

fix #14251

* Remove part ofcomment
@paulrudy
Copy link
Author

Sorry for the late reply. Glad my comment was useful, even if I couldn't quite remember accurately.

@mattab mattab changed the title Update without proper two factor authentication Code Issues 1,720 Pull requests 54 Wiki Security Insights Settings require TwoFA to be verified before updating code base Jun 29, 2019
@mattab mattab changed the title Code Issues 1,720 Pull requests 54 Wiki Security Insights Settings require TwoFA to be verified before updating code base require TwoFA to be verified before updating code base Jun 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

require TwoFA to be verified before updating code base matomo-org/matomo
2 participants
@tsteur @paulrudy