[Bug]: Changing Enforce 2FA setting fails silently with read-only config #59148
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
With a read-only config, the setting "Enforce two-factor authentication" in the web interface cannot possibly be changed, because this would require a config change.
It is not disabled in the frontend though, and trying to save fails silently, without displaying the relevant error. It only becomes apparent that the change wasn't persisted if the page is reloaded.
Steps to reproduce
- Enable
config_is_read_only - Navigate to
/settings/admin/security - Change the "Enforce two-factor authentication" setting (I'm guessing at least one 2FA provider might need to be installed
- Click "Save changes"
- Reload the page and notice the setting not getting applied, despite the lack of an error
Inspecting the network request, a call to /settings/api/admin/twofactorauth can be observed, the response of which (status code 502) contains an HTML page with the following error:
Config is set to be read-only via option "config_is_read_only".
Unset "config_is_read_only" to allow changes to the config file.
Expected behavior
The error "Config is set to be read-only..." should be displayed on the settings page.
- At least, the error should be properly displayed when saving
- Better yet, settings that cannot be changed in the web interface with a read-only config should be marked as read-only with a note why they cannot be changed.
Nextcloud Server version
33
Operating system
Other
PHP engine version
PHP 8.3
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 31 to 32)
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"maintenance": false,
"trusted_domains": [
"irrelevant"
],
"overwrite.cli.url": "https:\/\/irrelevant",
"apps_paths": [
{
"path": "\/usr\/share\/webapps\/nextcloud\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/usr\/share\/webapps\/nextcloud\/wapps",
"url": "\/apps",
"writable": false
}
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"log_type": "errorlog",
"logfile": "\/var\/log\/nextcloud\/nextcloud.log",
"dbtype": "mysql",
"version": "33.0.0.16",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbtableprefix": "",
"mysql.utf8mb4": true,
"mail_smtpmode": "smtp",
"mail_smtpsecure": "tls",
"mail_sendmailmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"loglevel": 0,
"simpleSignUpLink.shown": false,
"htaccess.RewriteBase": "\/",
"theme": "",
"knowledgebaseenabled": false,
"auth.webauthn.enabled": false,
"skeletondirectory": "\/var\/lib\/nextcloud\/skel",
"enabledPreviewProviders": [
"irrelevant..."
],
"data-fingerprint": "********************************",
"default_phone_region": "irrelevant",
"activity_expire_days": 30,
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0,
"timeout": 0
},
"allow_local_remote_servers": true,
"maintenance_window_start": 1,
"serverid": 1,
"appstoreenabled": false,
"config_is_read_only": true,
"twofactor_enforced": "true",
"twofactor_enforced_groups": [],
"twofactor_enforced_excluded_groups": []
}
}List of activated Apps
- activity: 6.0.0-dev.0
- apporder: 0.15.0
- bruteforcesettings: 6.0.0-dev.0
- calendar: 5.0.10
- cloud_federation_api: 1.17.0
- contacts: 6.1.3
- dav: 1.36.0
- federatedfilesharing: 1.23.0
- federation: 1.23.0
- files: 2.5.0
- files_downloadlimit: 5.1.0-dev.0
- files_external: 1.25.1
- files_markdown: 2.4.1
- files_pdfviewer: 6.0.0-dev.0
- files_reminders: 1.6.0
- files_sharing: 1.25.2
- files_trashbin: 1.23.0
- files_versions: 1.26.0
- impersonate: 1.17.1
- lookup_server_connector: 1.21.0
- notes: 4.11.0
- notifications: 6.0.0
- oauth2: 1.21.0
- password_policy: 5.0.0-dev.0
- photos: 6.0.0-dev.0
- profile: 1.2.0
- provisioning_api: 1.23.0
- related_resources: 4.0.0-dev.0
- settings: 1.16.0
- sharebymail: 1.23.0
- text: 7.0.0-dev.3
- theming: 2.8.0
- twofactor_backupcodes: 1.22.0
- twofactor_totp: 15.0.0-dev.0
- viewer: 6.0.0-dev.0
- workflowengine: 2.15.0Nextcloud Signing status
No errors have been found.Nextcloud Logs
// No relevant log entries foundAdditional info
I have no reason to believe that this is limited to the "Enforce two-factor authentication" setting and does not occur elsewhere.
To avoid confusion, the config_is_read_only property should be properly communicated to the user whenever any config values can be changed from the frontend.