Open johncollinseu opened 4 years ago
Hi @johncollinseu. Thank you for your report. To help us process this issue please make sure that you provided the following information:
Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:
@magento give me 2.4-develop instance
- upcoming 2.4.x release
For more details, please, review the Magento Contributor Assistant documentation.
Please, add a comment to assign the issue: @magento I am working on this
Join Magento Community Engineering Slack and ask your questions in #github channel.
:warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
:clock10: You can find the schedule on the Magento Community Calendar page.
:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.
:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel
:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel
There is an issue with 2FA that causes this, under system > permissions > 2 factor auth the user role can end up without permission to use 2FA but at the same time require 2FA to log in. This is probably not a good thing ! Turning on this permission for all our user roles has fixed the issue for us.
Stores > Settings > Configuration > Two Factor Auth also seems to be required. To get our new users to log in I had enable this and System > Permissions > Two Factor Auth as mentioned above.
If I just enabled System > Permissions > Two Factor Auth then I would get the same "Sorry, you need permissions to view this content." error. If I only enabled Stores > Settings > Configuration > Two Factor Auth then the user would get stuck in a redirect loop trying to log in. With both granted however it works as expected sending the user their email to register the 2FA and lets them in once completed.
I can confirm. After upgrade to 2.4.1, all admin users who are not Administrator role get redirect loop after logging in. Update the roles with 2FA permission solved the issue.
We changed the 2FA Controllers to use the generic "Magento_Backend::admin" ACL Resource which all roles should include instead of using the "Magento_TwoFactorAuth::config" ACL Resource to avoid this problem: Github Issue 29884 - wrong ACL for 2FA.patch.txt
Hi @engcom-Delta. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:
[ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).Details
If the issue has a valid description, the label Issue: Format is valid
will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid
appears.
[ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description
label to the issue by yourself.
[ ] 3. Add Component: XXXXX
label(s) to the ticket, indicating the components it may be related to.
[ ] 4. Verify that the issue is reproducible on 2.4-develop
branchDetails
- Add the comment @magento give me 2.4-develop instance
to deploy test instance on Magento infrastructure.
- If the issue is reproducible on 2.4-develop
branch, please, add the label Reproduced on 2.4.x
.
- If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
[ ] 5. Add label Issue: Confirmed
once verification is complete.
[ ] 6. Make sure that automatic system confirms that report has been added to the backlog.
:white_check_mark: Confirmed by @engcom-Delta
Thank you for verifying the issue. Based on the provided information internal tickets MC-40294
were created
Issue Available: @engcom-Delta, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.
Hello @johncollinseu
Thank you for your report and collaboration!
Let me shed some light on this issue.
src: https://devdocs.magento.com/guides/v2.4/release-notes/open-source-2-4-1.html#known-issues
Issue: Users without administrator privileges cannot currently set up their personal 2FA access. 2FA as implemented in Magento includes two ACL roles. One role affects global system configuration and it is needed only when configuring the system. The second ACL role affects individual user 2FA accounts. An admin user must configure this second type of 2FA ACL. Workaround: After the user has logged in and seen the Access denied screen, they can visit https://
/ /tfa/tfa/requestconfig/ to force configuration. Note: We do not recommend disabling security settings. However, this workaround is effective only when Admin URL secret keys are disabled.
Hi
WE have faced the same issue in Magento 2.4.2 EE, we are upgrading from 2.3.1, any patches for 2.4.2 EE available?
Thanks :+1:
Hi @JithinJay,
seems like you need to set the 2FA permission for each role for it to work in 2.4.2.
Keep in mind that there are two "Two Factor Auth" permission entries, one for the configuration (Stores -> Settings -> Configuration -> Two Factor Auth
) which is NOT required and one for access to the 2FA pages themself (System -> Permissions -> Two Factor Auth
) which seems to be requried.
Why someone came to the conclusion that a separate permission for access to the 2FA setup for your own account makes any sense is beyond my understanding. The backend will simple not work without it, if 2FA is enabled at all ...
In Magento2.4.2 it is allowed by default. There is no code to check if the 2FA is enabled or not. To correct this I have done some changes and these are working for me.
add below code in execute() method
public function execute(Observer $observer) { if (!$this->tfa->isEnabled()) { return; }
change
public function isEnabled(): bool { return true; } to public function isEnabled(): bool { return !!$this->scopeConfig->getValue(TfaInterface::XML_PATH_ENABLED); }
const XML_PATH_ENABLED = 'twofactorauth/general/enabled';
@sdzhepa Kindly reopen this ticket We're upgrading from Magento 2.4.2EE to 2.4.4EE with disabled Magento_TwoFactorAuth
For now every admin accounts are unable to login
Hello @tuyennn,
Verified the issue by upgrading from Magento 2.4.2 to 2.4.4 version with the below steps followed but could not able to reproduce the issue. Steps performed:
Please let us know if we have missed anything in order to reproduce the issue.
Thanks
@engcom-November Not sure for recent changes from Magento_TwoFactorAuth, and I cannot replicate this on fresh instance Magento, but for sure our current site has trouble while upgrading from EE 2.4.2 to EE 2.4.4, we postponed the upgrade.
Hi @johncollinseu , Thank you for the update and we tried to reproduce the issue on magento 2.4.4 EE , issue is reproducible . Hence marking the issue confirmed.
Please find the attached video for reference. https://www.loom.com/share/83935c37aec643c49759e6c3b20a60d3
:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-6039 is successfully created for this GitHub issue.
:white_check_mark: Confirmed by @engcom-Delta. Thank you for verifying the issue.
Issue Available: @engcom-Delta, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.
What a pity, marked Done for 3 times and now it's Open, I really appreciate yours quality control.
@magento I am working on this
@johncollinseu I have been working on this issue and I found that if we are creating any custom role and assigning an admin to that role, so while adding custom resource we have to set the two factor auth inside permission. Then that user will be able to access 2FA and able to login as well. Please refer my below screenshot.
@magento how we can raise PR for enterprise magento?
This is still an issue in 2.4.6-p2(.) All non-Administrator roles need to have "Two Factor Auth" added to them under "Permissions" in order to allow those admin users to login.
Preconditions (*)
Steps to reproduce (*)
Expected result (*)
Actual result (*)
ta