When visiting self-hosted Matomo installation (with two-factor authentication enabled):
It seems to me 2 factor authentication should be successfully completed before prompting for upgrade and before permitting initiation of upgrade.
What do you mean by "prompted for upgrade"? We screen to complete the upgrade by executing the updates is shown to anyone AFAIK, even to not logged in users if I remember correctly
Yes, by "prompted for upgrade", I meant the screen showing that an upgrade is available.
Matomo initiated the upgrade once I logged in with password, but it didn't require 2FA. It seems to me that it ought to, if 2FA is enabled, no?
@paulrudy I can't reproduce it. What I would expect is that it shows the "Please update the database screen". We would show this even to a logged out user if you just updated the codebase. This is done in https://github.com/matomo-org/matomo/pull/13796
After logging in, you can access the update screen though directly by opening eg the URL https://matomo.example.com/index.php?module=CoreUpdater&action=newVersionAvailable .
This we could possibly disallow I think by adjusting the condition to this:
Sorry for the late reply. Glad my comment was useful, even if I couldn't quite remember accurately.