Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#46248] - [6.1] Allow to force or never force MFA for superusers

Feature RTC PR-6.1-dev Pending

User tests: Successful: Unsuccessful:

avatar zero-24
zero-24
7 Oct 2025

Summary of Changes

Allow to force or never force MFA for superusers too.

Testing Instructions

Go to Users -> Manage -> Options -> Multi-factor Authentication
Check the options "Disable Multi-factor Authentication" and "Enforce Multi-factor Authentication"

Actual result BEFORE applying this Pull Request

Its not possible to force or never force MFA for superusers
image

Expected result AFTER applying this Pull Request

It is possible to force or never force MFA for superusers
image

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar zero-24 zero-24 - open - 7 Oct 2025
avatar zero-24 zero-24 - change - 7 Oct 2025
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 7 Oct 2025
Category Administration com_users
avatar zero-24 zero-24 - change - 8 Oct 2025
Labels Added: PR-5.4-dev
avatar richard67
richard67 - comment - 8 Oct 2025

Hmm, not sure if it is a new feature which would have to go into 6.1-dev.

avatar zero-24
zero-24 - comment - 8 Oct 2025

Done @richard67

avatar richard67 richard67 - change - 8 Oct 2025
Title
[5.x] Allow to force or never force MFA for superusers
[6.1] Allow to force or never force MFA for superusers
avatar richard67 richard67 - edited - 8 Oct 2025
avatar zero-24 zero-24 - change - 23 Oct 2025
Labels Added: PR-6.1-dev
Removed: PR-5.4-dev
avatar ceford
ceford - comment - 4 Nov 2025

I can see that Super Users appears in each of the dropdown lists. Can you explain what happens if I select both? Will I lock myself out? Does the wording of the inline description need adjustment?

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46248.

avatar zero-24
zero-24 - comment - 4 Nov 2025

I can see that Super Users appears in each of the dropdown lists. Can you explain what happens if I select both? Will I lock myself out? Does the wording of the inline description need adjustment?

Good question i have not changed the code so the same will happen when you select both Administrator.

If anything you will not lock you self as that only makes sure that its forced that you have to setup 2FA or not. But in the end it will always be a binary decision.

This is the code so when i understand this correctly than forceing 2FA will win:

joomla-cms/libraries/src/Application/MultiFactorAuthenticationHandler.php

Lines 100 to 114 in d4be2a6

$neverMFAUserGroups = $userOptions->get('neverMFAUserGroups', []);
$forceMFAUserGroups = $userOptions->get('forceMFAUserGroups', []);
$isMFADisallowed = \count(
array_intersect(
\is_array($neverMFAUserGroups) ? $neverMFAUserGroups : [],
$user->getAuthorisedGroups()
)
) >= 1;
$isMFAMandatory = \count(
array_intersect(
\is_array($forceMFAUserGroups) ? $forceMFAUserGroups : [],
$user->getAuthorisedGroups()
)
) >= 1;
$isMFADisallowed = $isMFADisallowed && !$isMFAMandatory;

avatar tecpromotion tecpromotion - test_item - 29 Dec 2025 - Tested successfully
avatar tecpromotion
tecpromotion - comment - 29 Dec 2025

I have tested this item ✅ successfully on 34b30b7

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46248.

avatar muhme muhme - test_item - 2 Jan 2026 - Tested successfully
avatar muhme
muhme - comment - 2 Jan 2026

I have tested this item ✅ successfully on 34b30b7

Tested with JBT on currect 6.1-dev

  • Checked before Superusers is not selectable in "Disable Multi-factor Authentication" and "Enforce Multi-factor Authentication"
  • Applied PR with Pat h Tester
  • Tested 'Disable Multi-factor Authentication' Super Users is selectable and saveable
  • Enforce Multi-factor Authentication Super Users is selectable and saveable
    • Multifactore authentication is needed and working on next login
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46248.
avatar richard67 richard67 - change - 2 Jan 2026
Status Pending Ready to Commit
Build 5.4-dev 6.1-dev
avatar richard67
richard67 - comment - 2 Jan 2026

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46248.

avatar HLeithner HLeithner - change - 9 Jan 2026
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2026-01-09 08:36:48
Closed_By HLeithner
Labels Added: Feature RTC
avatar HLeithner HLeithner - close - 9 Jan 2026
avatar HLeithner HLeithner - merge - 9 Jan 2026
avatar HLeithner
HLeithner - comment - 9 Jan 2026

thanks

Add a Comment

Login with GitHub to post a comment