Problem/Motivation
When a user is required to set up TFA, the page displays a message:
You are required to setup two-factor authentication here. You have 2 attempts left. After this you will be unable to login.
This message is displayed regardless of the user's access to the TFA overview page. As a result, users may be served an 'Access denied' page when clicking 'here'.
Proposed resolution
Display a different message for users without the 'setup own tfa' permission.
Remaining tasks
- Write a patch
- Review
- Commit
User interface changes
Users that have no access to setup their TFA are not directed to the account TFA overview page.
API changes
None.
Data model changes
None.
Comments
Comment #2
vatsalkhanna commentedPlease check the patch attached.
Comment #3
vatsalkhanna commentedPlease ignore the above one. Check this patch
Comment #4
vatsalkhanna commentedComment #5
jcnventuraMoving all open issues to the 2.x branch.
Comment #6
cmlaraNeeds rebase to 2.x
Also the message "You do not have permission to setup TFA. Please contact administrator" would likely be better along the lines of:
"You are required to setup two-factor authentication however your account does not have the necessary permissions. Please contact an administrator. You have @remaining attempt(s) left. After this you will be unable to login." Run through formatPlural() so that users know the risk of not taking action.
Comment #7
cmlaraComment #8
cmlaraCritical change: the hasSkipped() needs to be outside the if/else check as it applies to both those user with and without permission to setup their TFA tokens.
Comment #9
cmlaraHere is the 1.x patch
The change to TfaPasswordResetTest.php is due to #3387681: TfaPasswordResetTest does not directly test TFA prompts. testing for the messages instead of validating the login forms.
Comment #12
cmlara