Bug #93624

Switch user not possible in case target user activated MFA

Added by Oliver Bartsch about 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Should have
Category:
Authentication
Target version:
-
Start date:
2021-03-01
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

In case an admin, having MFA disabled, tries to switch to another user (Switch-User) having MFA enabled, he is redirected to the auth_mfa route to verify MFA for the target user.

Explanation
- Having passed MFA successfully is indicated by the "mfa" key set to true in the user session record
- Since the admin, having MFA disabled, did not pass MFA, no such key exists
- When switching user, the admins' session is transformed into the switch-user session, still missing the "mfa" key
- Since the target user has MFA activated and there is no key in the session, the admin is required to pass MFA for the user which is obviously not possible

#1

Updated by Gerrit Code Review about 2 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68164

#2

Updated by Gerrit Code Review about 2 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68164

#3

Updated by Gerrit Code Review about 2 months ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68164

#4

Updated by Oliver Bartsch about 2 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF