Problem/Motivation

The Excluded section of the configuration for this module makes the assumption, I guess, that users with high enough permissions don't need to bother with 2 factor authentication, while less privileged users do. But in my case, less privileged users (with just the authenticated role) don't have any power, so we don't require 2fa for them. Meanwhile, admins can do lots of stuff, so we want to ask them to jump through more hoops to log in.

Right now I can exclude certain roles from using 2FA, including the "Authenticated" role. But doing that means anyone with any higher level of permission is also excluded. Essentially, if I exclude the "Authenticated" role I've affectively disabled the module for every logged-in user.

Steps to reproduce

  1. Set up the module to require 2fa with the "Authenticated" user excluded, but all other higher-level permissions enabled.
  2. Log in as a user with a higher role, like an Administrator
  3. See no 2fa prompt

Here's my example setup:
Only local images are allowed.

Proposed resolution

There's ambiguity in the "Exclude roles" field that we could clear up by adding another field, and this would also allow us to add logic to force only Admins to use 2fa. Here's my proposed screenshot:

This adds a field that allows users to switch the logic of the "Excluded Roles" field between "Disable Email TFA for users with any of the following roles" which is what the module does now, and "Force Email TFA for users with any of the following roles" which is what I need. I'll add a patch for this in the next comment.

Remaining tasks

Add patch

User interface changes

New field on the Settings page that lets you choose the type of exclusion rules applied by Role. The existing logic will be assumed to be the default, so the module will be backward-compatible even if the config change is undone.

Data model changes

New schema field "role_exclusion_type".

CommentFileSizeAuthor
Screen Shot 2022-12-28 at 10.49.49 AM.png155.08 KBmariacha1

Issue fork email_tfa-3330031

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

mariacha1 created an issue. See original summary.

mariacha1 opened merge request !8

mariacha1’s picture

mariacha1 commented
Status: Active » Needs review

Patch for this change is at https://git.drupalcode.org/project/email_tfa/-/merge_requests/8.diff

abdulaziz zaid’s picture

abdulaziz zaid
Primary language Arabic
Location Riyadh 🇸🇦
commented

Hi mariacha1,

Thanks for your work, but I think you need to uncheck from the "Authenticated user" role to work with the higher role.

or fix this to unset the role "Authenticated user" from Exclude roles field because if check this role the module is not working because all users in Drupal are "Authenticated users".

abdulaziz zaid’s picture

abdulaziz zaid
Primary language Arabic
Location Riyadh 🇸🇦
commented

Hi mariacha1,

Thank you again, and kindly ignore my previous comment.

I will test it more and get back to you.

abdulaziz zaid’s picture

abdulaziz zaid
Primary language Arabic
Location Riyadh 🇸🇦
commented
Status: Needs review » Needs work

Hi mariacha1

sorry need work :

1- change the comment for email_tfa_update_8003 to Add a default value to the new field role_exclusion_type.

2- add a message after selecting force email TFA that all logged-in users will be logged out.

3- Fix the standard code.

abdulaziz zaid’s picture

abdulaziz zaid
Primary language Arabic
Location Riyadh 🇸🇦
commented

abdulaziz zaid’s picture

abdulaziz zaid
Primary language Arabic
Location Riyadh 🇸🇦
commented
Status: Needs work » Fixed

Thank you mariacha1,

Merged !8 🎉

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.