Closed dvjones89 closed 3 years ago
You are right in that the resource is the current_user
. But, given the authorisation on the POST_disable_authy
action also only checks that they are the current user, you wouldn't want that action to be able to disable 2FA for an arbitrary user, because any user could disable 2FA for any other user.
Instead, I would build your own action, within your admin section, that could disable 2FA for a user, but is also only available to admins.
Thanks for the kind mention on Twitter earlier btw! Its been too long!
Hi @philnash π
Thanks for your speedy reply!
Thanks, the existing behaviour makes complete sense and, as you suggest, I'll build something custom for this admin functionality.
I'd say let's meet up for beer/coffee once the COVID restrictions lift, though since you've moved over to Australia, that might be easier said than done π.
Take care and keep up the great work ππΌ
Awesome, let me know if there's anything else I can help with. And yes, a beer/coffee would be great were I not now the other side of the world! π
Hi there,
Firstly, I apologise if this is a daft question and I've totally misunderstood/overlooked something simple, though I'm hoping someone can help point me in the right direction.
I'm currently trying to implement an (admin-only) feature, allowing Authy 2FA to be disabled for a particular user.
Initially I made use of the
user_disable_authy_path
route helper, without supplying any additional arguments:During testing, however, I realised that this wants to disable 2FA for the
current_user
, rather than theuser
instance being viewed by the admin.After searching in GitHub to see how other open-source repos are using the
user_disable_authy_path
path, I saw a handful of people passing in anid
parameter, so I gave that a try:Unfortunately, as far as I can tell, 2FA is still being disabled on
current_user
, rather than@user
.From reading the
authy-devise
source code, I think I've found the line whereresource
is being consistently set tocurrent_user
: https://github.com/twilio/authy-devise/blob/c5955b88dfd561180eecd9d93b708bd76839539a/app/controllers/devise/devise_authy_controller.rb#L184Is there a way to override this behaviour such that
resource
can be set to an arbitraryuser
record?Thanks in advance for any help π Dave J