From ab4c69e0cc08c0b493378a4294efab51619ab402 Mon Sep 17 00:00:00 2001 From: Nic Bovee Date: Wed, 8 Apr 2026 14:20:31 -0600 Subject: [PATCH 01/10] Add a config setting to users. --- config/users.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/config/users.php b/config/users.php index 70e266eb280..568053b12a5 100644 --- a/config/users.php +++ b/config/users.php @@ -176,11 +176,24 @@ | Users may be required to reauthorize before performing certain | sensitive actions. This is called an elevated session. Here | you may configure the duration of the session in minutes. + | You may also disable the elevated session entirely. | */ 'elevated_session_duration' => 15, + /* + |-------------------------------------------------------------------------- + | Elevated Session Disabled + |-------------------------------------------------------------------------- + | + | Here you may disable elevated sessions entirely. This can be + | useful when using OAuth. + | + */ + + 'elevated_session_disabled' => false, + /* |-------------------------------------------------------------------------- | Two-Factor Authentication From 99e6da1c5d054a72a99d21250795ca0a7a57244b Mon Sep 17 00:00:00 2001 From: Nic Bovee Date: Wed, 8 Apr 2026 14:21:00 -0600 Subject: [PATCH 02/10] Disable in CP if elevated sessions are disabled in config. --- src/Http/Controllers/CP/CpController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Http/Controllers/CP/CpController.php b/src/Http/Controllers/CP/CpController.php index b7a65ed5f88..350f9475908 100644 --- a/src/Http/Controllers/CP/CpController.php +++ b/src/Http/Controllers/CP/CpController.php @@ -72,7 +72,7 @@ public function authorizeProIf($condition) public function requireElevatedSession(): void { - if (! request()->hasElevatedSession()) { + if (! config('statamic.users.elevated_session_disabled') && ! request()->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } } From 8b135cf7bfcae3c5fe7e531772cdb3f9ec07db2a Mon Sep 17 00:00:00 2001 From: Nic Bovee Date: Wed, 8 Apr 2026 14:21:06 -0600 Subject: [PATCH 03/10] Disable in middleware if elevated sessions are disabled in config. --- src/Http/Middleware/CP/RequireElevatedSession.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Http/Middleware/CP/RequireElevatedSession.php b/src/Http/Middleware/CP/RequireElevatedSession.php index cf493393a8a..efbcf859946 100644 --- a/src/Http/Middleware/CP/RequireElevatedSession.php +++ b/src/Http/Middleware/CP/RequireElevatedSession.php @@ -9,7 +9,7 @@ class RequireElevatedSession { public function handle($request, Closure $next) { - if (! $request->hasElevatedSession()) { + if (! config('statamic.users.elevated_session_disabled') && ! $request->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } From 386337dbc778ab825767f9e5031ceb7b5535ff26 Mon Sep 17 00:00:00 2001 From: Nic Bovee Date: Wed, 8 Apr 2026 14:43:23 -0600 Subject: [PATCH 04/10] Add tests to validate the disabled elevated session behavior. --- tests/Auth/ElevatedSessionTest.php | 41 +++++++++++++++++++++++++++ tests/Feature/Roles/StoreRoleTest.php | 20 +++++++++++++ 2 files changed, 61 insertions(+) diff --git a/tests/Auth/ElevatedSessionTest.php b/tests/Auth/ElevatedSessionTest.php index b90cd98dd92..22e5970cccb 100644 --- a/tests/Auth/ElevatedSessionTest.php +++ b/tests/Auth/ElevatedSessionTest.php @@ -300,6 +300,47 @@ public function middleware_denies_request_when_elevated_session_has_expired_via_ ->assertJson(['message' => __('Requires an elevated session.')]); } + #[Test] + public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled() + { + config(['statamic.users.elevated_session_disabled' => true]); + + $this->actingAs($this->user); + + $this + ->get('/requires-elevated-session') + ->assertOk() + ->assertSee('ok'); + } + + #[Test] + public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_even_if_session_expired() + { + config(['statamic.users.elevated_session_disabled' => true]); + + $this->actingAs($this->user); + + $this + ->withElevatedSession(now()->subMinutes(16)) + ->get('/requires-elevated-session') + ->assertOk() + ->assertSee('ok'); + } + + #[Test] + public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_via_json() + { + config(['statamic.users.elevated_session_disabled' => true]); + + $this->actingAs($this->user); + + $this + ->withElevatedSession(now()->subMinutes(16)) + ->getJson('/requires-elevated-session') + ->assertOk() + ->assertSee('ok'); + } + #[Test] public function the_session_is_elevated_upon_login() { diff --git a/tests/Feature/Roles/StoreRoleTest.php b/tests/Feature/Roles/StoreRoleTest.php index 999431e2b95..5beffbe2880 100644 --- a/tests/Feature/Roles/StoreRoleTest.php +++ b/tests/Feature/Roles/StoreRoleTest.php @@ -68,6 +68,26 @@ public function it_denies_access_without_active_elevated_session() ->assertRedirect('/cp/auth/confirm-password'); } + #[Test] + public function it_allows_storing_a_role_without_elevated_session_when_elevated_sessions_are_disabled() + { + config(['statamic.users.elevated_session_disabled' => true]); + + $this + ->actingAsUserWithPermissions(['edit roles']) + ->store([ + 'title' => 'No Elevated Session', + 'handle' => 'no_elevated_session', + 'permissions' => ['one', 'two'], + ]) + ->assertOk() + ->assertJson(['redirect' => cp_route('roles.index')]); + + $role = Role::find('no_elevated_session'); + $this->assertEquals('No Elevated Session', $role->title()); + $this->assertEquals(['one', 'two'], $role->permissions()->all()); + } + #[Test] public function it_stores_a_role() { From 5158dfe3a3578ca48ef5e0baa4246720f1d0924c Mon Sep 17 00:00:00 2001 From: Steven Grant Date: Fri, 10 Apr 2026 08:38:47 +1200 Subject: [PATCH 05/10] Rename config to elevated_sessions_enabled with true default. --- config/users.php | 6 +++--- src/Http/Controllers/CP/CpController.php | 2 +- src/Http/Middleware/CP/RequireElevatedSession.php | 2 +- tests/Auth/ElevatedSessionTest.php | 6 +++--- tests/Feature/Roles/StoreRoleTest.php | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/config/users.php b/config/users.php index 568053b12a5..541aa891378 100644 --- a/config/users.php +++ b/config/users.php @@ -187,12 +187,12 @@ | Elevated Session Disabled |-------------------------------------------------------------------------- | - | Here you may disable elevated sessions entirely. This can be - | useful when using OAuth. + | Here you may enable or disable elevated sessions. Disabling + | can be useful when using OAuth. | */ - 'elevated_session_disabled' => false, + 'elevated_sessions_enabled' => true, /* |-------------------------------------------------------------------------- diff --git a/src/Http/Controllers/CP/CpController.php b/src/Http/Controllers/CP/CpController.php index 350f9475908..322088251d9 100644 --- a/src/Http/Controllers/CP/CpController.php +++ b/src/Http/Controllers/CP/CpController.php @@ -72,7 +72,7 @@ public function authorizeProIf($condition) public function requireElevatedSession(): void { - if (! config('statamic.users.elevated_session_disabled') && ! request()->hasElevatedSession()) { + if (config('statamic.users.elevated_sessions_enabled') && ! request()->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } } diff --git a/src/Http/Middleware/CP/RequireElevatedSession.php b/src/Http/Middleware/CP/RequireElevatedSession.php index efbcf859946..5229f528e49 100644 --- a/src/Http/Middleware/CP/RequireElevatedSession.php +++ b/src/Http/Middleware/CP/RequireElevatedSession.php @@ -9,7 +9,7 @@ class RequireElevatedSession { public function handle($request, Closure $next) { - if (! config('statamic.users.elevated_session_disabled') && ! $request->hasElevatedSession()) { + if (config('statamic.users.elevated_sessions_enabled') && ! $request->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } diff --git a/tests/Auth/ElevatedSessionTest.php b/tests/Auth/ElevatedSessionTest.php index 22e5970cccb..8b43f883d58 100644 --- a/tests/Auth/ElevatedSessionTest.php +++ b/tests/Auth/ElevatedSessionTest.php @@ -303,7 +303,7 @@ public function middleware_denies_request_when_elevated_session_has_expired_via_ #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled() { - config(['statamic.users.elevated_session_disabled' => true]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this->actingAs($this->user); @@ -316,7 +316,7 @@ public function middleware_does_not_require_elevated_session_when_elevated_sessi #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_even_if_session_expired() { - config(['statamic.users.elevated_session_disabled' => true]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this->actingAs($this->user); @@ -330,7 +330,7 @@ public function middleware_does_not_require_elevated_session_when_elevated_sessi #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_via_json() { - config(['statamic.users.elevated_session_disabled' => true]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this->actingAs($this->user); diff --git a/tests/Feature/Roles/StoreRoleTest.php b/tests/Feature/Roles/StoreRoleTest.php index 5beffbe2880..396afd96ebd 100644 --- a/tests/Feature/Roles/StoreRoleTest.php +++ b/tests/Feature/Roles/StoreRoleTest.php @@ -71,7 +71,7 @@ public function it_denies_access_without_active_elevated_session() #[Test] public function it_allows_storing_a_role_without_elevated_session_when_elevated_sessions_are_disabled() { - config(['statamic.users.elevated_session_disabled' => true]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this ->actingAsUserWithPermissions(['edit roles']) From b5476f5459144cbac2a40329fe05b4c17d8dcc3a Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Tue, 21 Apr 2026 11:05:04 -0400 Subject: [PATCH 06/10] wip --- config/users.php | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/config/users.php b/config/users.php index c746390204d..e020b61fe4d 100644 --- a/config/users.php +++ b/config/users.php @@ -180,22 +180,12 @@ | */ + 'elevated_sessions_enabled' => true, + 'elevated_session_duration' => 15, 'elevated_session_url' => null, - /* - |-------------------------------------------------------------------------- - | Elevated Session Disabled - |-------------------------------------------------------------------------- - | - | Here you may enable or disable elevated sessions. Disabling - | can be useful when using OAuth. - | - */ - - 'elevated_sessions_enabled' => true, - /* |-------------------------------------------------------------------------- | Two-Factor Authentication From 72d345719a7429e576b52eb198dba4fb46119c80 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Tue, 21 Apr 2026 11:06:54 -0400 Subject: [PATCH 07/10] Rename config to singular elevated_session_enabled Matches the existing singular elevated_session_duration and elevated_session_url keys. Co-Authored-By: Claude Opus 4.7 (1M context) --- config/users.php | 2 +- src/Http/Controllers/CP/CpController.php | 2 +- src/Http/Middleware/RequireElevatedSession.php | 2 +- tests/Auth/ElevatedSessionTest.php | 6 +++--- tests/Feature/Roles/StoreRoleTest.php | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/users.php b/config/users.php index e020b61fe4d..b344cf1216e 100644 --- a/config/users.php +++ b/config/users.php @@ -180,7 +180,7 @@ | */ - 'elevated_sessions_enabled' => true, + 'elevated_session_enabled' => true, 'elevated_session_duration' => 15, diff --git a/src/Http/Controllers/CP/CpController.php b/src/Http/Controllers/CP/CpController.php index 322088251d9..7498e04d664 100644 --- a/src/Http/Controllers/CP/CpController.php +++ b/src/Http/Controllers/CP/CpController.php @@ -72,7 +72,7 @@ public function authorizeProIf($condition) public function requireElevatedSession(): void { - if (config('statamic.users.elevated_sessions_enabled') && ! request()->hasElevatedSession()) { + if (config('statamic.users.elevated_session_enabled') && ! request()->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } } diff --git a/src/Http/Middleware/RequireElevatedSession.php b/src/Http/Middleware/RequireElevatedSession.php index f990cb75dd3..d42d784acd4 100644 --- a/src/Http/Middleware/RequireElevatedSession.php +++ b/src/Http/Middleware/RequireElevatedSession.php @@ -9,7 +9,7 @@ class RequireElevatedSession { public function handle($request, Closure $next) { - if (config('statamic.users.elevated_sessions_enabled') && ! $request->hasElevatedSession()) { + if (config('statamic.users.elevated_session_enabled') && ! $request->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } diff --git a/tests/Auth/ElevatedSessionTest.php b/tests/Auth/ElevatedSessionTest.php index b6bf112d987..1f9b4e0a357 100644 --- a/tests/Auth/ElevatedSessionTest.php +++ b/tests/Auth/ElevatedSessionTest.php @@ -324,7 +324,7 @@ public function middleware_denies_request_when_elevated_session_has_expired_via_ #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled() { - config(['statamic.users.elevated_sessions_enabled' => false]); + config(['statamic.users.elevated_session_enabled' => false]); $this->actingAs($this->user); @@ -337,7 +337,7 @@ public function middleware_does_not_require_elevated_session_when_elevated_sessi #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_even_if_session_expired() { - config(['statamic.users.elevated_sessions_enabled' => false]); + config(['statamic.users.elevated_session_enabled' => false]); $this->actingAs($this->user); @@ -351,7 +351,7 @@ public function middleware_does_not_require_elevated_session_when_elevated_sessi #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_via_json() { - config(['statamic.users.elevated_sessions_enabled' => false]); + config(['statamic.users.elevated_session_enabled' => false]); $this->actingAs($this->user); diff --git a/tests/Feature/Roles/StoreRoleTest.php b/tests/Feature/Roles/StoreRoleTest.php index 396afd96ebd..2523c44ac65 100644 --- a/tests/Feature/Roles/StoreRoleTest.php +++ b/tests/Feature/Roles/StoreRoleTest.php @@ -71,7 +71,7 @@ public function it_denies_access_without_active_elevated_session() #[Test] public function it_allows_storing_a_role_without_elevated_session_when_elevated_sessions_are_disabled() { - config(['statamic.users.elevated_sessions_enabled' => false]); + config(['statamic.users.elevated_session_enabled' => false]); $this ->actingAsUserWithPermissions(['edit roles']) From 2f56836c3fb10e7b6c65c679f25400f7d56ac570 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Tue, 21 Apr 2026 11:28:45 -0400 Subject: [PATCH 08/10] Skip registering elevated session routes when disabled Also exposes the flag to JS so the requireElevatedSession helper short-circuits before hitting the (now absent) status endpoint. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../js/components/elevated-sessions/index.js | 2 + routes/cp.php | 12 ++-- routes/web.php | 14 +++-- .../View/Composers/JavascriptComposer.php | 1 + tests/Auth/ElevatedSessionDisabledTest.php | 55 +++++++++++++++++++ 5 files changed, 73 insertions(+), 11 deletions(-) create mode 100644 tests/Auth/ElevatedSessionDisabledTest.php diff --git a/resources/js/components/elevated-sessions/index.js b/resources/js/components/elevated-sessions/index.js index fcd8f155f89..bb94a819fec 100644 --- a/resources/js/components/elevated-sessions/index.js +++ b/resources/js/components/elevated-sessions/index.js @@ -1,6 +1,8 @@ import axios from 'axios'; export async function requireElevatedSession() { + if (!Statamic.$config.get('elevatedSessionEnabled')) return; + const response = await axios.get(cp_url('elevated-session')); if (response.data.elevated) return; diff --git a/routes/cp.php b/routes/cp.php index 2ba14ab8544..9dceae2cbc4 100644 --- a/routes/cp.php +++ b/routes/cp.php @@ -443,11 +443,13 @@ Route::get('session-timeout', SessionTimeoutController::class)->name('session.timeout'); - Route::get('auth/confirm-password', [ElevatedSessionController::class, 'showForm'])->name('confirm-password'); - Route::get('elevated-session', [ElevatedSessionController::class, 'status'])->name('elevated-session.status'); - Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.cp.passkeys'); - Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.cp.auth'); - Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code'); + if (config('statamic.users.elevated_session_enabled')) { + Route::get('auth/confirm-password', [ElevatedSessionController::class, 'showForm'])->name('confirm-password'); + Route::get('elevated-session', [ElevatedSessionController::class, 'status'])->name('elevated-session.status'); + Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.cp.passkeys'); + Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.cp.auth'); + Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code'); + } Route::get('playground', PlaygroundController::class)->name('playground'); diff --git a/routes/web.php b/routes/web.php index 884ff0b2a91..2c5ec15478e 100755 --- a/routes/web.php +++ b/routes/web.php @@ -54,12 +54,14 @@ Route::get('password/reset/{token}', [ResetPasswordController::class, 'showResetForm'])->name('password.reset'); Route::post('password/reset', [ResetPasswordController::class, 'reset'])->middleware('throttle:statamic.auth')->name('password.reset.action'); - Route::middleware('auth')->group(function () { - Route::get('confirm-password', [ElevatedSessionController::class, 'showForm'])->name('elevated-session')->middleware([HandleInertiaRequests::class]); - Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.auth'); - Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.passkeys'); - Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code'); - }); + if (config('statamic.users.elevated_session_enabled')) { + Route::middleware('auth')->group(function () { + Route::get('confirm-password', [ElevatedSessionController::class, 'showForm'])->name('elevated-session')->middleware([HandleInertiaRequests::class]); + Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.auth'); + Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.passkeys'); + Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code'); + }); + } Route::group(['prefix' => 'passkeys'], function () { Route::middleware('throttle:statamic.passkeys')->group(function () { diff --git a/src/Http/View/Composers/JavascriptComposer.php b/src/Http/View/Composers/JavascriptComposer.php index eede2567d4f..dd3e9d666d7 100644 --- a/src/Http/View/Composers/JavascriptComposer.php +++ b/src/Http/View/Composers/JavascriptComposer.php @@ -64,6 +64,7 @@ private function protectedVariables() 'ajaxTimeout' => config('statamic.system.ajax_timeout'), 'googleDocsViewer' => config('statamic.assets.google_docs_viewer'), 'focalPointEditorEnabled' => config('statamic.assets.focal_point_editor'), + 'elevatedSessionEnabled' => config('statamic.users.elevated_session_enabled'), 'user' => $this->user($user), 'defaultPreferences' => Preference::default()->all(), 'paginationSize' => config('statamic.cp.pagination_size'), diff --git a/tests/Auth/ElevatedSessionDisabledTest.php b/tests/Auth/ElevatedSessionDisabledTest.php new file mode 100644 index 00000000000..78cb0a341e8 --- /dev/null +++ b/tests/Auth/ElevatedSessionDisabledTest.php @@ -0,0 +1,55 @@ +user = User::make()->email('foo@bar.com')->makeSuper()->password('secret'); + $this->user->save(); + } + + protected function getEnvironmentSetUp($app) + { + parent::getEnvironmentSetUp($app); + + $app['config']->set('statamic.users.elevated_session_enabled', false); + } + + #[Test] + public function cp_elevated_session_routes_are_not_registered() + { + $this->actingAs($this->user); + + $this->get('/cp/elevated-session')->assertNotFound(); + $this->get('/cp/elevated-session/passkey-options')->assertNotFound(); + $this->post('/cp/elevated-session')->assertNotFound(); + $this->get('/cp/elevated-session/resend-code')->assertNotFound(); + $this->get('/cp/auth/confirm-password')->assertNotFound(); + } + + #[Test] + public function frontend_elevated_session_routes_are_not_registered() + { + $this->actingAs($this->user); + + $this->get('/!/auth/confirm-password')->assertNotFound(); + $this->post('/!/auth/elevated-session')->assertNotFound(); + $this->get('/!/auth/elevated-session/passkey-options')->assertNotFound(); + $this->get('/!/auth/elevated-session/resend-code')->assertNotFound(); + } +} From 20fec310c182dff6eb7579d1f21f469421d49ad0 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Tue, 21 Apr 2026 14:01:57 -0400 Subject: [PATCH 09/10] Rename config to plural elevated_sessions_enabled Feature-level boolean reads better as plural. Kept elevated_session_duration singular since "duration of a session" is semantically about one session. Co-Authored-By: Claude Opus 4.7 (1M context) --- config/users.php | 2 +- resources/js/components/elevated-sessions/index.js | 2 +- routes/cp.php | 2 +- routes/web.php | 2 +- src/Http/Controllers/CP/CpController.php | 2 +- src/Http/Middleware/RequireElevatedSession.php | 2 +- src/Http/View/Composers/JavascriptComposer.php | 2 +- tests/Auth/ElevatedSessionDisabledTest.php | 2 +- tests/Auth/ElevatedSessionTest.php | 6 +++--- tests/Feature/Roles/StoreRoleTest.php | 2 +- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/config/users.php b/config/users.php index b344cf1216e..e020b61fe4d 100644 --- a/config/users.php +++ b/config/users.php @@ -180,7 +180,7 @@ | */ - 'elevated_session_enabled' => true, + 'elevated_sessions_enabled' => true, 'elevated_session_duration' => 15, diff --git a/resources/js/components/elevated-sessions/index.js b/resources/js/components/elevated-sessions/index.js index bb94a819fec..47ff4eae486 100644 --- a/resources/js/components/elevated-sessions/index.js +++ b/resources/js/components/elevated-sessions/index.js @@ -1,7 +1,7 @@ import axios from 'axios'; export async function requireElevatedSession() { - if (!Statamic.$config.get('elevatedSessionEnabled')) return; + if (!Statamic.$config.get('elevatedSessionsEnabled')) return; const response = await axios.get(cp_url('elevated-session')); diff --git a/routes/cp.php b/routes/cp.php index 9dceae2cbc4..6b23b6b9873 100644 --- a/routes/cp.php +++ b/routes/cp.php @@ -443,7 +443,7 @@ Route::get('session-timeout', SessionTimeoutController::class)->name('session.timeout'); - if (config('statamic.users.elevated_session_enabled')) { + if (config('statamic.users.elevated_sessions_enabled')) { Route::get('auth/confirm-password', [ElevatedSessionController::class, 'showForm'])->name('confirm-password'); Route::get('elevated-session', [ElevatedSessionController::class, 'status'])->name('elevated-session.status'); Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.cp.passkeys'); diff --git a/routes/web.php b/routes/web.php index 2c5ec15478e..4eab84115c2 100755 --- a/routes/web.php +++ b/routes/web.php @@ -54,7 +54,7 @@ Route::get('password/reset/{token}', [ResetPasswordController::class, 'showResetForm'])->name('password.reset'); Route::post('password/reset', [ResetPasswordController::class, 'reset'])->middleware('throttle:statamic.auth')->name('password.reset.action'); - if (config('statamic.users.elevated_session_enabled')) { + if (config('statamic.users.elevated_sessions_enabled')) { Route::middleware('auth')->group(function () { Route::get('confirm-password', [ElevatedSessionController::class, 'showForm'])->name('elevated-session')->middleware([HandleInertiaRequests::class]); Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.auth'); diff --git a/src/Http/Controllers/CP/CpController.php b/src/Http/Controllers/CP/CpController.php index 7498e04d664..322088251d9 100644 --- a/src/Http/Controllers/CP/CpController.php +++ b/src/Http/Controllers/CP/CpController.php @@ -72,7 +72,7 @@ public function authorizeProIf($condition) public function requireElevatedSession(): void { - if (config('statamic.users.elevated_session_enabled') && ! request()->hasElevatedSession()) { + if (config('statamic.users.elevated_sessions_enabled') && ! request()->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } } diff --git a/src/Http/Middleware/RequireElevatedSession.php b/src/Http/Middleware/RequireElevatedSession.php index d42d784acd4..f990cb75dd3 100644 --- a/src/Http/Middleware/RequireElevatedSession.php +++ b/src/Http/Middleware/RequireElevatedSession.php @@ -9,7 +9,7 @@ class RequireElevatedSession { public function handle($request, Closure $next) { - if (config('statamic.users.elevated_session_enabled') && ! $request->hasElevatedSession()) { + if (config('statamic.users.elevated_sessions_enabled') && ! $request->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } diff --git a/src/Http/View/Composers/JavascriptComposer.php b/src/Http/View/Composers/JavascriptComposer.php index dd3e9d666d7..c2251917c38 100644 --- a/src/Http/View/Composers/JavascriptComposer.php +++ b/src/Http/View/Composers/JavascriptComposer.php @@ -64,7 +64,7 @@ private function protectedVariables() 'ajaxTimeout' => config('statamic.system.ajax_timeout'), 'googleDocsViewer' => config('statamic.assets.google_docs_viewer'), 'focalPointEditorEnabled' => config('statamic.assets.focal_point_editor'), - 'elevatedSessionEnabled' => config('statamic.users.elevated_session_enabled'), + 'elevatedSessionsEnabled' => config('statamic.users.elevated_sessions_enabled'), 'user' => $this->user($user), 'defaultPreferences' => Preference::default()->all(), 'paginationSize' => config('statamic.cp.pagination_size'), diff --git a/tests/Auth/ElevatedSessionDisabledTest.php b/tests/Auth/ElevatedSessionDisabledTest.php index 78cb0a341e8..0ddccfe06ee 100644 --- a/tests/Auth/ElevatedSessionDisabledTest.php +++ b/tests/Auth/ElevatedSessionDisabledTest.php @@ -27,7 +27,7 @@ protected function getEnvironmentSetUp($app) { parent::getEnvironmentSetUp($app); - $app['config']->set('statamic.users.elevated_session_enabled', false); + $app['config']->set('statamic.users.elevated_sessions_enabled', false); } #[Test] diff --git a/tests/Auth/ElevatedSessionTest.php b/tests/Auth/ElevatedSessionTest.php index 1f9b4e0a357..b6bf112d987 100644 --- a/tests/Auth/ElevatedSessionTest.php +++ b/tests/Auth/ElevatedSessionTest.php @@ -324,7 +324,7 @@ public function middleware_denies_request_when_elevated_session_has_expired_via_ #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled() { - config(['statamic.users.elevated_session_enabled' => false]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this->actingAs($this->user); @@ -337,7 +337,7 @@ public function middleware_does_not_require_elevated_session_when_elevated_sessi #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_even_if_session_expired() { - config(['statamic.users.elevated_session_enabled' => false]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this->actingAs($this->user); @@ -351,7 +351,7 @@ public function middleware_does_not_require_elevated_session_when_elevated_sessi #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_via_json() { - config(['statamic.users.elevated_session_enabled' => false]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this->actingAs($this->user); diff --git a/tests/Feature/Roles/StoreRoleTest.php b/tests/Feature/Roles/StoreRoleTest.php index 2523c44ac65..396afd96ebd 100644 --- a/tests/Feature/Roles/StoreRoleTest.php +++ b/tests/Feature/Roles/StoreRoleTest.php @@ -71,7 +71,7 @@ public function it_denies_access_without_active_elevated_session() #[Test] public function it_allows_storing_a_role_without_elevated_session_when_elevated_sessions_are_disabled() { - config(['statamic.users.elevated_session_enabled' => false]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this ->actingAsUserWithPermissions(['edit roles']) From 7f70cf414d6f940c07371410a8e47e972cfea2d7 Mon Sep 17 00:00:00 2001 From: Jason Varga Date: Tue, 21 Apr 2026 14:02:56 -0400 Subject: [PATCH 10/10] Allow elevated sessions to be toggled via env var Co-Authored-By: Claude Opus 4.7 (1M context) --- config/users.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/users.php b/config/users.php index e020b61fe4d..9e6fbaafe64 100644 --- a/config/users.php +++ b/config/users.php @@ -180,7 +180,7 @@ | */ - 'elevated_sessions_enabled' => true, + 'elevated_sessions_enabled' => env('STATAMIC_ELEVATED_SESSIONS_ENABLED', true), 'elevated_session_duration' => 15,