Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#38860] - Disable multi-factor authentication in the frontend ignored

No Code Attached Yet Information Required
avatar galamarco
galamarco
28 Sep 2022

Steps to reproduce the issue

Go to /administrator/index.php?option=com_config&view=component&component=com_users
Set "registered" user in "Disable multi-factor authentication" and save

Expected result

Registered user don't show 2FA when login

Actual result

User with privacy expired must set a 2 factor autentication

System information (as much as possible)

Joomla 4.2.3

Additional comments

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
5.00
avatar galamarco galamarco - open - 28 Sep 2022
avatar galamarco galamarco - change - 28 Sep 2022
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 28 Sep 2022
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 28 Sep 2022
avatar nikosdion
nikosdion - comment - 8 Oct 2022

@richard67 Can you please assign this issue to me?

avatar nikosdion
nikosdion - comment - 9 Oct 2022

@galamarco I tried reproducing your issue, unsuccessfully.

First attempt:

  • I installed a new Joomla 4.2 site using the latest development build.
  • I created a new Registered user.
  • I set Show Onboarding to Yes and added Registered to the Disable Multi-factor Authentication.
  • I logged into the frontend.

Observable results:

  • I am not asked to use MFA, nor am I shown the onboarding.
  • Editing my user's profile I cannot set up MFA.

Second attempt:

  • I installed a new Joomla 4.2 site using the latest development build.
  • I created a new Registered user.
  • I logged in with the Registered user and set up MFA. Then, I logged out.
  • In the backend I set Show Onboarding to Yes and added Registered to the Disable Multi-factor Authentication.
  • I logged into the frontend.

Observable results:

  • I am not asked to use MFA, nor am I shown the onboarding.
  • Editing my user's profile I cannot set up or modify MFA; I can only disable MFA (as I should).

Third attempt:

On this site I then enabled the System - Privacy Consent plugin.

I logged back into the frontend. Again, I am not asked for MFA but I am asked for my privacy consent. Saving it I am not asked for MFA. Navigating elsewhere on the page does not ask me for MFA.

Fourth attempt:

I invalidated the user's consent from the backend. Again, I logged back into the frontend. Again, I am not asked for MFA but I am asked for my privacy consent. Saving it I am not asked for MFA. Navigating elsewhere on the page does not ask me for MFA.

At this point I do not think that the reproduction instructions are accurate or that the issue is observable.

Please double check that the user you have a problem with is actually assigned directly to the Registered user group. If it belongs to a sub-group of the Registered group they will not be exempt from MFA. The exemption only applies to users belonging directly to the groups you have listed in the configuration.

Otherwise, please provide additional information on how we can reproduce this issue on a new installation.

@richard67 Can you please label this as information required?

avatar richard67 richard67 - change - 9 Oct 2022
Labels Added: Information Required
avatar richard67 richard67 - labeled - 9 Oct 2022
avatar Hackwar
Hackwar - comment - 17 Feb 2023

Since we didn't get a response for 4 months, I'm closing this issue.

avatar Hackwar Hackwar - close - 17 Feb 2023
avatar Hackwar Hackwar - change - 17 Feb 2023
Status New Closed
Closed_Date 0000-00-00 00:00:00 2023-02-17 21:39:34
Closed_By Hackwar

Add a Comment

Login with GitHub to post a comment