Problem/Motivation

Users with some permission combinations are shown a broken link to the tfa.disable route when they can't actually access it.

  • When a user has administer tfa for other users but not disable own tfa while viewing own TFA page
  • When a user has disable own tfa but not administer tfa for other users while viewing another user's TFA page

Proposed resolution

Change the logic in TfaOverviewForm::buildForm from hasPermission to Url->access

CommentFileSizeAuthor
#3 tfa-disable-link-access-1.10.patch1.24 KBjvollebregt-swis
#3 tfa-disable-link-access.patch1.33 KBjvollebregt-swis

Issue fork tfa-3531309

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

jvollebregt-swis created an issue. See original summary.

jvollebregt-swis opened merge request !149

jvollebregt-swis’s picture

jvollebregt-swis commented
StatusFileSize
new tfa-disable-link-access.patch1.33 KB
new tfa-disable-link-access-1.10.patch1.24 KB

Submitted an MR to fix it. I'm also uploading a patch file of the MR for 2.x and one for 1.x for use with composer-patches (Though they're the same code, the line numbers changed)

cmlara’s picture

cmlara
he/him
commented
Status: Active » Needs review

@jvollebregt-swis do you consider this ready for review or is there other work still to be done?

jvollebregt-swis’s picture

jvollebregt-swis commented

@cmlara yes this is ready for review, was I supposed to tag this somehow?

cmlara’s picture

cmlara
he/him
commented

was I supposed to tag this somehow?

Currently under Drupal.org issues are generally marked 'needs review' when ready, although I imagine when D.O. move's to GitLab issues it may just be the presence of a non-draft MR.

Just wanted to validate you were not working on any concerns before I proceed with testing

cmlara’s picture

cmlara
he/him
commented

When a user has disable own tfa but not administer tfa for other users while viewing another user's TFA page

I'm not able to duplicate having access to another users TFA page unless they have the administer tfa or other users permission.

If you are able to duplicate this scenario it should be rasied as a private security issue for further discussion.

When a user has administer tfa for other users but not disable own tfa while viewing own TFA page

I am able to duplicate this, and attached patch does appear to remove the link.

As noted in IS access is blocked when clicking on the link making the change purely cosmetic.

cmlara’s picture

cmlara
he/him
commented
Status: Needs review » Fixed

  • cmlara committed 83770a81 on 8.x-1.x 
    Issue #3531309 by jvollebregt-swis: TfaOverviewForm shows "Disable TFA"...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.