New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow enable 2FA requirement when user doesn't have 2FA enabled #17400
Conversation
dd1d037
to
867e93e
Compare
I believe I currently have two independent problems in this PR. Quite impressive for such a small amount of code :| I'm new to this repo so likely making simple mistakes. Hopefully those mistakes are immediately apparent to someone who knows Matomo better.
The 500 comes from my PHP settings. The error is caused by something in these 3 lines as it doesn't occur if I comment them out. The function to set up the settings appears to be being called over and over.
Interestingly the error is displayed even when first trying to access matomo before even reaching a log in page.
Having Matomo in development mode doesn't seem to result in anything else being output. The error log just contains the message "Error in Matomo: Maximum function nesting level of '500' reached, aborting!" |
Hi @andyjdavis looks like there's some infinite recursion. From a quick look, it seems like it's caused by accessing |
Hi @diosmosis I've had a go at avoiding the circular dependency and I think I've got it all working. It was fairly straightforward to make TwoFactorAuthentication::isUserUsingTwoFactorAuthentication() a static method. It calls a few private member functions which I have also made static. Luckily it didn't turn out to require anything that made having an instance of TwoFactorAuthentication necessary. I believe I have found and updated every location calling TwoFactorAuthentication::isUserUsingTwoFactorAuthentication() Let me know if the way I have done this isn't ok. As an alternative I could leave the existing method as non-static then add a new static method. The non-static method could just call the static method. That would reduce the size of the diff and mean that any other third party code (plugins etc) not in this repo that use the TwoFactorAuthentication class wouldn't need to change. I'm not sure if that is a risk here. |
Looks like there are some problems I need to fix. I will get onto them as soon as I am able. |
Update. There is a failing test for which I don't yet have a solution that I am happy with plus the last commit in this PR definitely shouldn't be merged. I am setting this PR to draft until I get it into a state where i believe it can be merged (pending review of course). This problem is that the superuser created for system tests does not have 2fa set up. That means that don't have the ability to turn on the system setting requiring all users to use 2fa. One of the 2fa related system tests toggles on the require 2fa setting but this now results in an error. |
@andyjdavis I took a quick look and looks like the latest build is passing (except for BlobReportLimitingTest which is a random failure). Unless I'm missing something, I'm happy to review again tomorrow. |
Ok @andyjdavis, taking a look at that code, a quick fix for the problem would be to replace |
6c057e2
to
deef422
Compare
@diosmosis this makes things so much simpler than what I was trying to do :) The tests should now pass. When not in test mode $setting->setIsWritableByCurrentUser() relies on whether the current user is using 2fa. |
Hi @andyjdavis, thanks for making the change! The code looks good. I tested the change locally and I noticed the removal of the field could be a problem, since a user may never know the option exists. Instead of using
|
@diosmosis I had the same usability concern but wasn't sure how to go about it. I've now pushed a commit that disables the setting without removing it. I have also updated the string to give the user some information on what they need to do to get the setting to enable. |
Thanks @andyjdavis, the change looks good to merge now! Thanks again for the contribution and for following through with the requested changes. |
@diosmosis thank you for your patience while I worked through this :) |
Description:
Trying to avoid a situation where admin turns on require 2fa without having it set up themselves. #17352
This is just a text change in the admin UI. I will ask my questions about how to determine whether the current user has 2fa enabled in the orginal issue (#17352 ).
Review