Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46248] - [6.1] Allow to force or never force MFA for superusers

PR-6.1-dev Pending

User tests: Successful: Unsuccessful:

avatar zero-24
zero-24
7 Oct 2025

Summary of Changes

Allow to force or never force MFA for superusers too.

Testing Instructions

Go to Users -> Manage -> Options -> Multi-factor Authentication
Check the options "Disable Multi-factor Authentication" and "Enforce Multi-factor Authentication"

Actual result BEFORE applying this Pull Request

Its not possible to force or never force MFA for superusers
image

Expected result AFTER applying this Pull Request

It is possible to force or never force MFA for superusers
image

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar zero-24 zero-24 - open - 7 Oct 2025
avatar zero-24 zero-24 - change - 7 Oct 2025
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 7 Oct 2025
Category Administration com_users
avatar zero-24 zero-24 - change - 8 Oct 2025
Labels Added: PR-5.4-dev
avatar richard67
richard67 - comment - 8 Oct 2025

Hmm, not sure if it is a new feature which would have to go into 6.1-dev.

avatar zero-24
zero-24 - comment - 8 Oct 2025

Done @richard67

avatar richard67 richard67 - change - 8 Oct 2025
Title
[5.x] Allow to force or never force MFA for superusers
[6.1] Allow to force or never force MFA for superusers
avatar richard67 richard67 - edited - 8 Oct 2025
avatar zero-24 zero-24 - change - 23 Oct 2025
Labels Added: PR-6.1-dev
Removed: PR-5.4-dev
avatar ceford
ceford - comment - 4 Nov 2025

I can see that Super Users appears in each of the dropdown lists. Can you explain what happens if I select both? Will I lock myself out? Does the wording of the inline description need adjustment?

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46248.

avatar zero-24
zero-24 - comment - 4 Nov 2025

I can see that Super Users appears in each of the dropdown lists. Can you explain what happens if I select both? Will I lock myself out? Does the wording of the inline description need adjustment?

Good question i have not changed the code so the same will happen when you select both Administrator.

If anything you will not lock you self as that only makes sure that its forced that you have to setup 2FA or not. But in the end it will always be a binary decision.

This is the code so when i understand this correctly than forceing 2FA will win:

joomla-cms/libraries/src/Application/MultiFactorAuthenticationHandler.php

Lines 100 to 114 in d4be2a6

$neverMFAUserGroups = $userOptions->get('neverMFAUserGroups', []);
$forceMFAUserGroups = $userOptions->get('forceMFAUserGroups', []);
$isMFADisallowed = \count(
array_intersect(
\is_array($neverMFAUserGroups) ? $neverMFAUserGroups : [],
$user->getAuthorisedGroups()
)
) >= 1;
$isMFAMandatory = \count(
array_intersect(
\is_array($forceMFAUserGroups) ? $forceMFAUserGroups : [],
$user->getAuthorisedGroups()
)
) >= 1;
$isMFADisallowed = $isMFADisallowed && !$isMFAMandatory;

Add a Comment

Login with GitHub to post a comment