2fa redirect checks wrong permissions

[nathanjosiah]

Description

2FA has 2 ACL roles. One for global system configuration (Stores -> Settings -> Configuration -> Two Factor Auth) and the other for using 2fa as a user (System -> Permissions -> Two Factor Auth). The first is only needed for configuring the system and the second is needed for an admin user to use and configure their personal 2fa providers.

The feature currently will not allow a regular user to easily setup their personal 2fa without both permissions.

Workaround

ℹ️ As a workaround, once the user has logged in and sees the "Access denied" screen, they can visit https://<magento store>/<admin_path>/tfa/tfa/requestconfig/ to access the personal configuration. Note this will only work smoothly if admin URL security keys are disable which is not recommended but many merchants already have this feature disabled so it is worth noting.

Steps to reproduce:

1. With an admin user with the Stores -> Settings -> Configuration -> Two Factor Auth permission, login and configure the available 2fa providers.
2. Create a user with only the ACL resource System -> Permissions -> Two Factor Auth
3. Try to login as this user.
4. 👎 The user is shown a "Permission Denied" screen.
   👍 The user is shown the configuration screen to setup their personal 2fa provider.

For additional QA, ensure that a user with only System -> Permissions -> Two Factor Auth permission, is not allowed to setup global 2fa settings.

[m2-assistant]

Hi @nathanjosiah. Thank you for your report.
To help us process this issue please make sure that you provided sufficient information.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[nathanjosiah]

Fixed in https://github.com/magento-commerce/security-package/pull/1