Pull Request for Issue #38476 .

Summary of Changes

The Joomla\CMS\Application\MultiFactorAuthenticationHandler::isMultiFactorAuthenticationPage method is now public and has an optional argument to only consider captive pages.

The plg_system_stats plugin uses this method to check whether it is running a captive MFA page and refuse to continue.

A previously hard-coded exception for the stats plugin has been removed from the MultiFactorAuthenticationHandler Trait.

Testing Instructions

• Install Joomla 4.2.0
• DO NOT make a choice about the stats collection just yet
• Set up MFA for your user account
• Log out
• Log back in

Actual result BEFORE applying this Pull Request

You see the stats collection interface in the captive MFA page. Trying to use its buttons leads to a broken display experience as per the issue #38476.

Expected result AFTER applying this Pull Request

You do NOT see the stats collection interface in the captive MFA page or any of the captive pages you are allowed access to (basically, selecting an MFA method). It does appear after completing the MFA validation.

Documentation Changes Required

Plugins which render user interfaces in the backend of the site must check whether they are running under the Multi-factor Authentication feature's captive pages using the following code:

method_exists($this->app, 'isMultiFactorAuthenticationPage')
            && $this->app->isMultiFactorAuthenticationPage(true);

If this returns true the plugin MUST NOT render its user interface.