New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The "require tfa" permission seems to be a bit confusing #10

Closed
talhaparacha opened this Issue Aug 6, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@talhaparacha
Copy link

talhaparacha commented Aug 6, 2016

The TFA module provides a "require tfa" permission but it seems a bit confusing. That's because the permission name suggests that any user without this permission would be able to simply bypass the TFA process during login. But that is not the case as revealed by the module's behavior.

Therefore, I don't seem to get the rationale behind this permission. Can someone elaborate this?

@therealssj

This comment has been minimized.

Copy link
Owner

therealssj commented Aug 6, 2016

Yes. I do some places in the TfaLoginForm.php which should have additional hasPermission check for "require tfa" or possibly shift the check to the outermost if statement.

The permission is as it says. Every user who has this permission needs to do tfa

@talhaparacha

This comment has been minimized.

Copy link
Author

talhaparacha commented Aug 6, 2016

Understood

@therealssj

This comment has been minimized.

Copy link
Owner

therealssj commented Aug 11, 2016

marked for next commit.

@therealssj therealssj closed this Aug 11, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment