New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't allow enforcing 2FA unless the superuser has set it up already #17352
Comments
Ideally we would get someone to activate 2FA first and then allow enabling it. That might be a bit more work though so we could maybe rather add a message We could have otherwise checked if the current visitor has 2FA set up and then try if we can disable a setting in the UI super easily if 2FA is disabled for the current account and adjust the message saying please set up 2FA first but it's not needed if it takes say more than 10 minutes. |
I have put up a PR that just expands the text on the setting UI to provide more information about the consequences of turning on require 2fa. #17400 I have some questions about how to determine if the current user has 2fa enabled themselves. The directory containing plugins/TwoFactorAuth/SystemSettings.php contains Controller.php, Validator.php, and TwoFactorAuthentication.php. The controller contains an instance of validator which contains an instance of twoFa. There are functions available on each level of that structure to determine if the user has 2fa set up. For example Is there a preferred approach for accessing these methods (or similar) from the context of the system settings? I haven't been able to find an example of a plugin SystemSettings.php loading an instance of an object to allow it to selectively disable a setting on a per-user basis. |
Hi @andyjdavis, you'd want to use the |
#17400 has now merged. I believe this issue can be closed. |
Fixed by #17400 |
This issue has been mentioned on Matomo forums. There might be relevant details there: https://forum.matomo.org/t/unable-to-enforce-2fa-for-everyone-greyed-out/44900/2 |
reported in https://forum.matomo.org/t/problem-with-the-two-factor-authentication-setting/41128
If a user who is unable to set up 2FA accidentally enables
Require two-factor authentication for everyone
, they are unable to disable it until they set up 2FA.(or they update the setting in the db:
)
I think this setting should only be allowed if at least one superuser has 2FA already set up (or maybe only if the current superuser has 2FA already set up)
The text was updated successfully, but these errors were encountered: