Uncaught Exception removing TOTP MFA as a user_support_manager in FusionAuth Admin UI
When a user_support_manager attempts to remove TTOP MFA from another user within the FusionAuth Admin UI, the UI displays a TOTP screen. Even if you have the code, the screen will go away and the browser will be awaiting input. One click more and you are back to the FusionAuth Admin UI.
Observed on 1.49.1, possible affects others.
Steps to reproduce the behavior:
Create a user (ie UserA) in the Default Tenant
Register them to the FusionAuth application with just the user_support_manager role.
Create another user in a different Tenant and application that has MFA enabled or required (ie UserB).
Log UserB into the application they are registered for and enable TOTP MFA. Logout.
Log in to FusionAuth app as UserA.
Navigate to Users->Select UserB and select the MultiFactor tab.
Click the trash can icon next to the Authenticator MFA that was setup for UserB
When UserA attempts to delete UserB TOTP MFA method they should be provided with a 'not authorized' error, not TOTP request screen.
Uncaught Exception removing TOTP MFA as a
user_support_manager
in FusionAuth Admin UIWhen a
user_support_manager
attempts to remove TTOP MFA from another user within the FusionAuth Admin UI, the UI displays a TOTP screen. Even if you have the code, the screen will go away and the browser will be awaiting input. One click more and you are back to the FusionAuth Admin UI.Observed on 1.49.1, possible affects others.
Steps to reproduce the behavior:
UserA
) in the Default Tenantuser_support_manager
role.UserB
).UserB
into the application they are registered for and enable TOTP MFA. Logout.UserA
.UserB
and select the MultiFactor tab.UserB
When
UserA
attempts to deleteUserB
TOTP MFA method they should be provided with a 'not authorized' error, not TOTP request screen.