Magento 2.4.4 EE update. Admin users with custom roles can't login. Get message saying "Sorry, you need permissions to view this content."

[johncollinseu]

Preconditions (*)

1. Upgrade Magento 2.4.2 to 2.4.4 enterprise version
2. PHP 7.4
3. MySql 5.7

Steps to reproduce (*)

1. Start with Magento 2.4.4 Enterprise Edition.
2. Set up Admin users who have roles with custom resource access.
3. Admin users with full resource access can log in and set up 2FA as described here https://docs.magento.com/user-guide/stores/admin-signin.html#step-3-complete-the-2fa-configuration
4. Admin users who have custom resource access (e.g. sales admins). Do not get the option to set up 2FA instead get a "Sorry, you need permissions to view this content." page - screenshot below.

Expected result (*)

1. The Admin users with custom roles should be able to set up 2FA as described https://docs.magento.com/user-guide/stores/admin-signin.html#step-3-complete-the-2fa-configuration

Actual result (*)

1. Admin users with custom roles enter their login details and get the following page-

ta

[m2-assistant[bot]]

Hi @johncollinseu. Thank you for your report. To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

  :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

:clock10: You can find the schedule on the Magento Community Calendar page.

:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[Dave-W]

There is an issue with 2FA that causes this, under system > permissions > 2 factor auth the user role can end up without permission to use 2FA but at the same time require 2FA to log in. This is probably not a good thing ! Turning on this permission for all our user roles has fixed the issue for us.

[wssweb]

Stores > Settings > Configuration > Two Factor Auth also seems to be required. To get our new users to log in I had enable this and System > Permissions > Two Factor Auth as mentioned above.

If I just enabled System > Permissions > Two Factor Auth then I would get the same "Sorry, you need permissions to view this content." error. If I only enabled Stores > Settings > Configuration > Two Factor Auth then the user would get stuck in a redirect loop trying to log in. With both granted however it works as expected sending the user their email to register the 2FA and lets them in once completed.

[hanhpv]

I can confirm. After upgrade to 2.4.1, all admin users who are not Administrator role get redirect loop after logging in. Update the roles with 2FA permission solved the issue.

[poebel]

We changed the 2FA Controllers to use the generic "Magento_Backend::admin" ACL Resource which all roles should include instead of using the "Magento_TwoFactorAuth::config" ACL Resource to avoid this problem: Github Issue 29884 - wrong ACL for 2FA.patch.txt

[m2-assistant[bot]]

Hi @engcom-Delta. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[magento-engcom-team]

:white_check_mark: Confirmed by @engcom-Delta Thank you for verifying the issue. Based on the provided information internal tickets MC-40294 were created

Issue Available: @engcom-Delta, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[sdzhepa]

Hello @johncollinseu

Thank you for your report and collaboration!

Let me shed some light on this issue.

1. This issue is a duplicate of https://github.com/magento/security-package/issues/266
2. https://github.com/magento/security-package/issues/266 was already fixed by the Magento team
3. The fix should be available in 2.4.1p1 and 2.4.2 releases. This information was added to the known-issue section

   src: https://devdocs.magento.com/guides/v2.4/release-notes/open-source-2-4-1.html#known-issues

   Issue: Users without administrator privileges cannot currently set up their personal 2FA access. 2FA as implemented in Magento includes two ACL roles. One role affects global system configuration and it is needed only when configuring the system. The second ACL role affects individual user 2FA accounts. An admin user must configure this second type of 2FA ACL. Workaround: After the user has logged in and seen the Access denied screen, they can visit https:////tfa/tfa/requestconfig/ to force configuration. Note: We do not recommend disabling security settings. However, this workaround is effective only when Admin URL secret keys are disabled.

4. Also, there is a patch available if needed on https://github.com/magento/security-package/issues/266#issuecomment-721153086

[JithinJay]

Hi

WE have faced the same issue in Magento 2.4.2 EE, we are upgrading from 2.3.1, any patches for 2.4.2 EE available?

Thanks :+1:

[poebel]

Hi @JithinJay,

seems like you need to set the 2FA permission for each role for it to work in 2.4.2.

Keep in mind that there are two "Two Factor Auth" permission entries, one for the configuration (Stores -> Settings -> Configuration -> Two Factor Auth) which is NOT required and one for access to the 2FA pages themself (System -> Permissions -> Two Factor Auth) which seems to be requried.

Why someone came to the conclusion that a separate permission for access to the 2FA setup for your own account makes any sense is beyond my understanding. The backend will simple not work without it, if 2FA is enabled at all ...

[kamal02mittal]

In Magento2.4.2 it is allowed by default. There is no code to check if the 2FA is enabled or not. To correct this I have done some changes and these are working for me.

1. Magento\TwoFactorAuth\Observer\ControllerActionPredispatch.php

add below code in execute() method

public function execute(Observer $observer)
        {

            if (!$this->tfa->isEnabled()) {
                return;
            }

2. Magento\TwoFactorAuth\Model\Tfa.php

change

public function isEnabled(): bool
    {
        return true;
    }

    to

public function isEnabled(): bool
    {
        return !!$this->scopeConfig->getValue(TfaInterface::XML_PATH_ENABLED);
    }

3. Added in file vendor\magento\module-two-factor-auth\Api\TfaInterface.php

const XML_PATH_ENABLED = 'twofactorauth/general/enabled';

[tuyennn]

@sdzhepa Kindly reopen this ticket We're upgrading from Magento 2.4.2EE to 2.4.4EE with disabled Magento_TwoFactorAuth

For now every admin accounts are unable to login

[engcom-November]

Hello @tuyennn,

Verified the issue by upgrading from Magento 2.4.2 to 2.4.4 version with the below steps followed but could not able to reproduce the issue. Steps performed:

1. Installed 2.4.2 project-community-edition and configured Magento_TwoFactorAuth as per docs
2. Login to admin - System - permissions - User Roles - Add new Role - custom resource access - select Two-factor authentication as well and save
3. System - Permissions - All Users - Add new User - Assign new user role and save
4. Configure two factor authentication for new user as well from email as per docs
5. Login to admin using new user - Enter google authentication code - Login
6. Upgrade to 2.4.4 version. (Ref Guide)
7. Login to admin using new user - No issue. User is able to enter authentication code and login
8. Disable Magento_TwoFactorAuth and perform setup:upgrade
9. Login to admin using new user - No issue. User is able to login directly.

Please let us know if we have missed anything in order to reproduce the issue.

Thanks

[tuyennn]

@engcom-November Not sure for recent changes from Magento_TwoFactorAuth, and I cannot replicate this on fresh instance Magento, but for sure our current site has trouble while upgrading from EE 2.4.2 to EE 2.4.4, we postponed the upgrade.

[engcom-Delta]

Hi @johncollinseu , Thank you for the update and we tried to reproduce the issue on magento 2.4.4 EE , issue is reproducible . Hence marking the issue confirmed.

Please find the attached video for reference. https://www.loom.com/share/83935c37aec643c49759e6c3b20a60d3

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-6039 is successfully created for this GitHub issue.

[m2-assistant[bot]]

:white_check_mark: Confirmed by @engcom-Delta. Thank you for verifying the issue.
Issue Available: @engcom-Delta, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[tuyennn]

What a pity, marked Done for 3 times and now it's Open, I really appreciate yours quality control.

[nidhigupta13-ey]

@magento I am working on this

[nidhigupta13-ey]

@johncollinseu I have been working on this issue and I found that if we are creating any custom role and assigning an admin to that role, so while adding custom resource we have to set the two factor auth inside permission. Then that user will be able to access 2FA and able to login as well. Please refer my below screenshot.

[nidhigupta13-ey]

@magento how we can raise PR for enterprise magento?

[jgallup]

This is still an issue in 2.4.6-p2(.) All non-Administrator roles need to have "Two Factor Auth" added to them under "Permissions" in order to allow those admin users to login.