Install Joomla 4.1.0
Create a secondary user, let's call it joomlalala
Log into the site with joomlalala
Edit your user profile and set up WebAuthn
Log out of the site
Log into the backend of the site with your primary Super User account
Update to Joomla 4.1.1
Go to the frontend of the site
Log into the site with joomlalala
using Webauthn
Log out of the site
Try to log back into the site with user joomlalala
using a password
You are logged into the site
You are NOT logged into the site
Completely irrelevant.
You are blindly setting the user's authProvider
field to whatever the login method's type
is, without checking if it corresponds to an existing plugin in the authentication
group or it's a placeholder, like what's CORRECTLY used by WebAuthn to differentiate passwordless from password logins.
You are then using that to lock the user to that non-existent authentication plugin which means that the user can no longer log in. They can only log in with WebAuthn. If the site operator edits the database and disables the WebAuthn plugin (or simply deletes the plugins/system/webauthn folder in a desperate attempt to figure out what the hell is going on) they are LOCKED. OUT. OF. THEIR. SITE.
The same thing happens if the user is first logged into the site after the upgrade with the Remember Me (cookie authentication) plugin. In this case it's even worse because you are now completely locked out of the site. If you are the sole Super User, congratulations, you are completely dead in the water.
I will open a separate issue for Joomla 3.
Labels |
Added:
No Code Attached Yet
|
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-03-29 21:07:44 |
Closed_By | ⇒ | richard67 |
I disagree that anything is fixed by that PR. You guys have broken Joomla in a fundamental way.
The PR fixes the issue reported here and does not claim to fix others.
which is about as useful as a chocolate teapot
Confirmed, see #37415