I've installed Drupal 10.0.3 and installed & setup the 2FA plugin

	vendor/bin/drush status | egrep "Drupal version"
		Drush version    : 11.4.0

	composer require 'drupal/tfa:2.x-dev@dev'
	composer show | grep tfa
		drupal/tfa      dev-2.x 2f92b27 Pluggable provider of two factor authenticatio...

tfa config includes usage for 'Authenticated User'

	[X]	Enable TFA
Roles required to set up TFA
	[X]	Authenticated user
	[ ]	Content editor
	[ ]	Administrator
Allowed Validation plugins
	[X]	TFA Time-based one-time password (TOTP)
Default Validation plugin: TFA Time-based one-time password (TOTP)
Number of Accepted Codes: 2
[X]	Use site name as OTP QR code name prefix.
Skip Validation: 1

I created a new authenticated user,

vendor/bin/drush user:create ${_U} --mail="${_E}" --password="${_P}"
vendor/bin/drush  user:information ${_U}
	+---------+-----------+----------------------------+---------------+-------------+
	| User ID | User name | User mail                  | User roles    | User status |
	+---------+-----------+----------------------------+---------------+-------------+
	| 5       | testusr   | testusr@example.com        | authenticated | 1           |
	+---------+-----------+----------------------------+---------------+-------------+

I can login to that authenticated user OK with the credentials I used in the setup.

On site login with that user I'm redirected to

	https://example.com/?check_logged_in=1

which displays

	You are required to setup <two-factor authentication>. You have 0 attempts left. After this you will be unable to login.

Clicking the link redirects to

	https://example.com/user/5/security/tfa

Which displays

	Access denied
	You are not authorized to access this page.

Bug? Or missing a needed grant of access ?

CommentFileSizeAuthor
#6 Screenshot 2023-03-02 at 6.31.31 PM.png1.01 MBbhanu951
#6 Screenshot 2023-03-02 at 6.24.50 PM.png795.81 KBbhanu951

Issue fork tfa-3339277

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

Anonymous’s picture

Anonymous (not verified) commented

aldev created an issue. See original summary.

jcnventura’s picture

jcnventura
Primary language English
commented

It seems that that your users don't have the "setup own tfa" permission. I do agree that maybe that permission should be granted by default to all existing roles at the time of installing the site, as it makes little sense to block users from setting up their own TFA.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

I think it should be granted to roles manually so maybe documentation makes the most sense to try to improve this situation.

The use case is that admins on a site should have TFA, but the UX and extra security are not appropriate for the typical end-user roles.

jcnventura’s picture

jcnventura
Primary language English
commented

Still, if a user's role makes it mandatory for them to have TFA, they should be granted access to the per-user TFA settings.. The access check should maybe take into account both the "setup own tfa" permission and the "Roles required to set up TFA".

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

That makes sense to me to harmonize them. Validation on the "roles required" could check that all those roles have the permission.

bhanu951’s picture

bhanu951 commented
StatusFileSize
new Screenshot 2023-03-02 at 6.24.50 PM.png795.81 KB
new Screenshot 2023-03-02 at 6.31.31 PM.png1.01 MB

Can confirm, on a default installation this issue occurs.

Granting "setup own tfa" permission to the required role fixed it.

It would be helpful if we can just display a message after module enabling stating permission need to be explicitly assigned to the roles to setup TFA.

cmlara’s picture

cmlara
he/him
commented

Still, if a user's role makes it mandatory for them to have TFA, they should be granted access to the per-user TFA settings.. The access check should maybe take into account both the "setup own tfa" permission and the "Roles required to set up TFA".

While this was indeed my first though when I accidentally ran into this issue the other day I'm not sure we should run under that assumption.

There is indeed a difference between 'required to have tfa' and 'allowed to make changes to token', just because your required to use TFA doesn't mean your allowed to configure it (though I will admit in most cases this will indeed be true.)

I'm inclined to think this should indeed be a documentation change and if we want to reduce the support burden add a status indication under each role that is available to be required that "Role does not have access to configure own tokens, see permissions" (with a link to the Drupal permissions page) this somewhat tracks with the suggestion from #6

cmlara opened merge request !30

cmlara’s picture

cmlara
he/him
commented

Opened MR based on my suggetions in #6 for the SettingsForm to make it more apparent that the "setup own tfa" permission is often necessary.

The remainder of this issue regarding the messaging that leads the user to the error in the first place is probably best handled in the already open #3089931: Users are directed to TFA overview regardless of 'setup own tfa' permission

cmlara’s picture

cmlara
he/him
commented
Status: Active » Needs review
cmlara’s picture

cmlara
he/him
commented
Title: 'Access Denied' to AuthenticatedUser setup of own TFA » Inform admin that role does not have permission to setup own tfa
Category: Bug report » Task
Status: Needs review » Fixed

Committed to Dev.

Not currently planning on back-porting to 1.x at this time since it involves from constructor changes for what is essentially a feature.

  • cmlara committed 79ba3bcd on 2.x 
    Issue #3339277 by cmlara, Bhanu951, jcnventura, greggles: Inform admin...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.