User tests: Successful: Unsuccessful:
Pull Request for Issue #37413.
Remove the auth binding field and checking code to disable the feature until a proper solution has been implemented see #37405.
See #37413
You are NOT logged into the site
You are logged into the site
Status | New | ⇒ | Pending |
Category | ⇒ | Administration com_admin Front End Plugins |
Labels |
Added:
?
|
I have tested this item
It took a hell of a lot of effort and help from the CMS Release Team but I managed to test this successfully. I did have to login to the frontend twice after applying the fix/PR. First time it said my session was pooched or something like that. Second time it worked.
Category | Administration com_admin Front End Plugins | ⇒ | Administration com_users Front End Libraries Plugins |
Title |
|
Category | Administration Front End Plugins com_users Libraries | ⇒ | Administration com_users Language & Strings Front End Libraries Plugins |
Pls do a special update for Joomla 3.10.8 and 4.1.2 release asap for public after this important fix.
Labels |
Added:
Language Change
|
I have tested this item
I approve of this version of the PR. Please consider this as a successful test for the Joomla 4 PR as well.
I have tested this item
I approve of this version of the PR. Please consider this as a successful test for the Joomla 4 PR as well.
Category | Administration Front End Plugins com_users Libraries Language & Strings | ⇒ | Administration com_admin com_users Language & Strings Front End Libraries Plugins |
@nikosdion Could you test (or review) again after the latest changes? Thanks in advance.
Status | Pending | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-03-30 12:00:44 |
Closed_By | ⇒ | zero-24 |
Merging here for now thanks for your work here,
While this fixes the lockout it does not address the other issues with this feature.
To begin with, this feature is so broken that it OVERRIDES ITSELF. Selecting None has no effect. I cannot tell Joomla to NOT care about which authentication method I am going to use. Upon next login it will OVERRIDE my preference!!!
If I log in with any authentication method that is, indeed, an
authenticator
plugin I can no longer log in with any other method. This is not how Joomla is used in the real world! There are legitimate use cases where multiple authentication methods are needed e.g. when using a forum bridge I expect to be able to log into the site with either my Joomla or my forum credentials to name just the most glaringly obvious use case.If I am using a username and password login method other than
Joomla
the Two Factor Authentication no longer applies, reverting 10 years of me attempting to bring login security to Joomla. Are you sure you understand the subject matter? All the evidence points to the contrary! How can you conceivably put a “security” feature in Joomla which undoes ACTUAL security features we put in place ten years ago?!It does not address the fact that WebAuthn and other non-password authentication methods are not listed, misleading and confusing users.
It does not address that the labels and options are confusing and nonsensical.
IMHO it would have been better if this feature was reverted, rethought, reimplemented and only merged in 4.2 if not 5.0 (since it's a major b/c break).
As a result I am not providing a successful test. Replacing something totally borked with something glaringly broken is not a solution. It's perpetuation of the problem you introduced.