[Bug 30724] New: Add ability for administrator to reset a users 2FA
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Bug ID: 30724 Summary: Add ability for administrator to reset a users 2FA Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: martin.renvoize@ptfs-europe.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Depends on: 28786 Occasionally one may lose their authenticator app storage.. we need a way to reset the 2FA for such a user so they can grab a new secret for their authenticator app. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786 [Bug 28786] Two-factor authentication for staff client - TOTP -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 helm.consortium@nhs.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |helm.consortium@nhs.net -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Chris Rowlands <chris.rowlands6@nhs.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris.rowlands6@nhs.net -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- This was still a problem last time I looked -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com Depends on| |20476 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 [Bug 20476] Two factor authentication for the staff client - omnibus -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=40545 CC| |tomascohen@gmail.com -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also|https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=40545 | Depends on| |40545 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40545 [Bug 40545] Add a way to manually reset 2FA settings for admins -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #2 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- I added a script for this on bug 40545. I also added a method for dealing with this action which puts an action log when this happens. So I propose: - We add a permission (ideas?) - We make this controller allow a patron with the right permissions to clear the 2FA on any patron, or themselves. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Due to the security of this one, I'd say only superlibrarian should be able to clear/reset the MFA for another patron. If MFA is enabled, I think anyone should be able to change their own MFA. (One example is you've got a new phone and you need to change over to the authenticator app on your new phone. This would apply to both the staff interface and the OPAC.) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #4 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- (In reply to David Cook from comment #3)
Due to the security of this one, I'd say only superlibrarian should be able to clear/reset the MFA for another patron.
If MFA is enabled, I think anyone should be able to change their own MFA. (One example is you've got a new phone and you need to change over to the authenticator app on your new phone. This would apply to both the staff interface and the OPAC.)
I agree. I’ll send a patch tomorrow -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=40546 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi (tcohen) from comment #4)
I agree. I’ll send a patch tomorrow
Sounds good! If we did want more fine-grained permissions, I think it would be a good use case for bug 40546. Although that's also something we could pursue later. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #6 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 184938 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=184938&action=edit Bug 30724: Allow superlibrarians to manage 2FA for other patrons This enhances the two-factor authentication management interface to allow superlibrarians to disable 2FA for other patrons when they lose access to their authenticator device. Controller changes (members/two_factor_auth.pl): * Accept borrowernumber parameter to select target patron * Implement authorization checks (self-service or superlibrarian) * Use proper HTTP status codes (403/404) for error conditions * Update all patron operations to use selected patron * Integrate with new reset_2fa() method for consistency * Pass another_user flag to template for conditional display Template changes (two_factor_auth.tt): * Use has_2fa_enabled() method instead of auth_method string comparison * Prevent superlibrarians from enabling 2FA for other users * Show explanatory message when 2FA setup is restricted * Maintain proper conditional display logic UI Integration changes: * Update members toolbar to show 2FA option for superlibrarians * Pass borrowernumber parameter in all 2FA-related URLs * Maintain context when canceling 2FA registration * Use consistent parameter naming (borrowernumber vs patron_id) To test: 1. Enable TwoFactorAuthentication system preference 2. Set up 2FA for a test patron 3. As superlibrarian, visit patron details page 4. Click 'Manage two-factor authentication' in toolbar => SUCCESS: 2FA management page loads for the selected patron 5. Disable 2FA for the patron => SUCCESS: 2FA is disabled for the target patron, not the superlibrarian 6. Verify 'Enable 2FA' button is hidden with explanatory text => SUCCESS: Shows message that users must enable 2FA themselves 7. Test authorization: try accessing as non-superlibrarian for different patron => FAIL: Returns 403 Forbidden error 8. Sign off :-D -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #7 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 184939 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=184939&action=edit Bug 30724: (follow-up) Improve user interface text and messaging This enhances the user experience with clearer, more contextual messaging throughout the two-factor authentication management interface. Template improvements: * Add contextual page titles showing patron name when managing others * Replace generic status messages with personalized, descriptive text * Provide clear explanation of why 2FA setup is restricted for admins * Add actionable guidance for superlibrarians on available options * Use appropriate alert styling (success/info/warning) for different states * Include patron names in messages for better context The new messaging explains the security rationale behind restrictions and provides clear guidance on what actions are available to different user types. To test: 1. As superlibrarian, manage 2FA for another patron => SUCCESS: Page title shows "Two-factor authentication for [Name]" => SUCCESS: Status messages are personalized with patron name => SUCCESS: Clear explanation of setup restrictions with actionable guidance 2. Manage your own 2FA => SUCCESS: Messages use "Your account" language appropriately 3. Sign off :-D -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com Assignee|koha-bugs@lists.koha-commun |tomascohen@gmail.com |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |martin.renvoize@openfifth.c |y.org |o.uk -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #8 from David Nind <david@davidnind.com> --- I attempted to test, but wasn't able to enable 2Fa for the patron: 1. Applied the patches and restarted everything. 2. Enabled TwoFactorAuthentication system preference. 3. For Henry, set a password and added some permissions (didn't make superlibrarian). 4. Logged in as Henry 5. Went to [Henry's] My account > More > Manage two-factor authentication 6. Get "Error: You don't have permission to access this page." So, can't seem to enable 2FA for a staff user. Also having trouble setting 2FA for the koha user: 1. My account > More > Manage two-factor authentication 2. Scan code with app 3. Enter code from app 4. Get Error 404 page 5. Messages in logs 172.18.0.1 - - [01/Sep/2025:02:39:06 +0000] "POST /api/v1/app.pl/api/v1/auth/two-factor/registration/verification HTTP/1.1" 204 - "http://127.0.0.1:8081/cgi-bin/koha/members/two_factor_auth.pl?borrowernumber..." "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36" 172.18.0.1 - - [01/Sep/2025:02:39:06 +0000] "GET /intranet/members/two_factor_auth.pl HTTP/1.1" 302 0 "http://127.0.0.1:8081/cgi-bin/koha/members/two_factor_auth.pl?borrowernumber..." "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36" 172.18.0.1 - - [01/Sep/2025:02:39:07 +0000] "GET errors/404.pl HTTP/1.1" 404 36495 "http://127.0.0.1:8081/cgi-bin/koha/members/two_factor_auth.pl?borrowernumber..." "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36" 6. 2FA is actually enabled - log in prompts for code, and log in works. So, possibly something I'm doing wrong. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #9 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- (In reply to David Nind from comment #8)
I attempted to test, but wasn't able to enable 2Fa for the patron:
1. Applied the patches and restarted everything. 2. Enabled TwoFactorAuthentication system preference. 3. For Henry, set a password and added some permissions (didn't make superlibrarian). 4. Logged in as Henry 5. Went to [Henry's] My account > More > Manage two-factor authentication 6. Get "Error: You don't have permission to access this page."
So, can't seem to enable 2FA for a staff user.
I think this is a general Koha bug: a staff user cannot see their own account details page unless they have `borrowers => [ 'edit_borrowers', 'list_borrowers' ]` permissions. Is out of the scope of this bug, so you can try heading to the page directly to try: http://kohadev-intra.localhost/cgi-bin/koha/members/two_factor_auth.pl?borro... Best regards -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #10 from David Nind <david@davidnind.com> --- Thanks!. Sorry, not having much luck testing this one: 1. For Step 5: As the koha user, after clicking the 'Disable two-factor authentication' for the patron (Henry in this case), I get a 404 page not found error and 2FA is not disabled for the patron (they are still prompted to enter the code when they log in). 2. After apply the patches, I did a yarn build and restart_all in case that was required. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #11 from David Nind <david@davidnind.com> --- I also get the same result if Henry is a superlibrarian, or has a limited set of permissions including 'borrowers'. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #184938|0 |1 is obsolete| | --- Comment #12 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 186235 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=186235&action=edit Bug 30724: Allow superlibrarians to manage 2FA for other patrons This enhances the two-factor authentication management interface to allow superlibrarians to disable 2FA for other patrons when they lose access to their authenticator device. Controller changes (members/two_factor_auth.pl): * Accept borrowernumber parameter to select target patron * Implement authorization checks (self-service or superlibrarian) * Use proper HTTP status codes (403/404) for error conditions * Update all patron operations to use selected patron * Integrate with new reset_2fa() method for consistency * Pass another_user flag to template for conditional display Template changes (two_factor_auth.tt): * Use has_2fa_enabled() method instead of auth_method string comparison * Prevent superlibrarians from enabling 2FA for other users * Show explanatory message when 2FA setup is restricted * Maintain proper conditional display logic UI Integration changes: * Update members toolbar to show 2FA option for superlibrarians * Pass borrowernumber parameter in all 2FA-related URLs * Maintain context when canceling 2FA registration * Use consistent parameter naming (borrowernumber vs patron_id) To test: 1. Enable TwoFactorAuthentication system preference 2. Set up 2FA for a test patron 3. As superlibrarian, visit patron details page 4. Click 'Manage two-factor authentication' in toolbar => SUCCESS: 2FA management page loads for the selected patron 5. Disable 2FA for the patron => SUCCESS: 2FA is disabled for the target patron, not the superlibrarian 6. Verify 'Enable 2FA' button is hidden with explanatory text => SUCCESS: Shows message that users must enable 2FA themselves 7. Test authorization: try accessing as non-superlibrarian for different patron => FAIL: Returns 403 Forbidden error 8. Sign off :-D Sponsored-by: ByWater Solutions Signed-off-by: Martin Renvoize <martin.renvoize@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #184939|0 |1 is obsolete| | --- Comment #13 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 186236 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=186236&action=edit Bug 30724: (follow-up) Improve user interface text and messaging This enhances the user experience with clearer, more contextual messaging throughout the two-factor authentication management interface. Template improvements: * Add contextual page titles showing patron name when managing others * Replace generic status messages with personalized, descriptive text * Provide clear explanation of why 2FA setup is restricted for admins * Add actionable guidance for superlibrarians on available options * Use appropriate alert styling (success/info/warning) for different states * Include patron names in messages for better context The new messaging explains the security rationale behind restrictions and provides clear guidance on what actions are available to different user types. To test: 1. As superlibrarian, manage 2FA for another patron => SUCCESS: Page title shows "Two-factor authentication for [Name]" => SUCCESS: Status messages are personalized with patron name => SUCCESS: Clear explanation of setup restrictions with actionable guidance 2. Manage your own 2FA => SUCCESS: Messages use "Your account" language appropriately 3. Sign off :-D Sponsored-by: ByWater Solutions Signed-off-by: Martin Renvoize <martin.renvoize@openfifth.co.uk> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #14 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 186237 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=186237&action=edit Bug 30724: (follow-up) Corrections for self-enabling 2FA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off --- Comment #15 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- I agree with David, there were bugs here.. I've added a follow-up which I believe resolves the issue.. but I'd love someone to go through the test plan again to make sure I'm not hallucinating. I'm also not really happy with the introduction of a TT variable in the script block.. I'm sure there's a better way but my brain hasn't got the processing power this late on a friday afternoon. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #16 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- De Morgan's law is correctly applied :-D -unless ( !$another_user || $logged_in_user->is_superlibrarian() ) { +if ( $another_user && !$logged_in_user->is_superlibrarian() ) { I reckon I started with `unless $logged_in_as_user->is_superlibrarian()` and shouldn't rephrased as I added more conditions. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #186235|0 |1 is obsolete| | --- Comment #17 from David Nind <david@davidnind.com> --- Created attachment 186251 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=186251&action=edit Bug 30724: Allow superlibrarians to manage 2FA for other patrons This enhances the two-factor authentication management interface to allow superlibrarians to disable 2FA for other patrons when they lose access to their authenticator device. Controller changes (members/two_factor_auth.pl): * Accept borrowernumber parameter to select target patron * Implement authorization checks (self-service or superlibrarian) * Use proper HTTP status codes (403/404) for error conditions * Update all patron operations to use selected patron * Integrate with new reset_2fa() method for consistency * Pass another_user flag to template for conditional display Template changes (two_factor_auth.tt): * Use has_2fa_enabled() method instead of auth_method string comparison * Prevent superlibrarians from enabling 2FA for other users * Show explanatory message when 2FA setup is restricted * Maintain proper conditional display logic UI Integration changes: * Update members toolbar to show 2FA option for superlibrarians * Pass borrowernumber parameter in all 2FA-related URLs * Maintain context when canceling 2FA registration * Use consistent parameter naming (borrowernumber vs patron_id) To test: 1. Enable TwoFactorAuthentication system preference 2. Set up 2FA for a test patron 3. As superlibrarian, visit patron details page 4. Click 'Manage two-factor authentication' in toolbar => SUCCESS: 2FA management page loads for the selected patron 5. Disable 2FA for the patron => SUCCESS: 2FA is disabled for the target patron, not the superlibrarian 6. Verify 'Enable 2FA' button is hidden with explanatory text => SUCCESS: Shows message that users must enable 2FA themselves 7. Test authorization: try accessing as non-superlibrarian for different patron => FAIL: Returns 403 Forbidden error 8. Sign off :-D Sponsored-by: ByWater Solutions Signed-off-by: Martin Renvoize <martin.renvoize@openfifth.co.uk> Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #186236|0 |1 is obsolete| | --- Comment #18 from David Nind <david@davidnind.com> --- Created attachment 186252 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=186252&action=edit Bug 30724: (follow-up) Improve user interface text and messaging This enhances the user experience with clearer, more contextual messaging throughout the two-factor authentication management interface. Template improvements: * Add contextual page titles showing patron name when managing others * Replace generic status messages with personalized, descriptive text * Provide clear explanation of why 2FA setup is restricted for admins * Add actionable guidance for superlibrarians on available options * Use appropriate alert styling (success/info/warning) for different states * Include patron names in messages for better context The new messaging explains the security rationale behind restrictions and provides clear guidance on what actions are available to different user types. To test: 1. As superlibrarian, manage 2FA for another patron => SUCCESS: Page title shows "Two-factor authentication for [Name]" => SUCCESS: Status messages are personalized with patron name => SUCCESS: Clear explanation of setup restrictions with actionable guidance 2. Manage your own 2FA => SUCCESS: Messages use "Your account" language appropriately 3. Sign off :-D Sponsored-by: ByWater Solutions Signed-off-by: Martin Renvoize <martin.renvoize@openfifth.co.uk> Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #186237|0 |1 is obsolete| | --- Comment #19 from David Nind <david@davidnind.com> --- Created attachment 186253 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=186253&action=edit Bug 30724: (follow-up) Corrections for self-enabling 2FA Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #20 from David Nind <david@davidnind.com> --- Have added my sign-off as things now work as per the test plan. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |This enhancement enables release notes| |superlibrarians to turn off | |two-factor authentication | |(2FA) for a staff patron | |when they lose access to | |their authenticator | |application or device. This | |is accessed from the | |patron's account > More > | |Manage two-factor | |authentication. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |release-notes-needed -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|release-notes-needed | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to main Version(s)| |25.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #21 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Nice work everyone! Pushed to main for 25.11 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@gmail.com Keywords| |additional_work_needed --- Comment #22 from Jonathan Druart <jonathan.druart@gmail.com> --- Tests are missing, and you broke the existing ones! t/db_dependent/selenium/authentication_2fa.t .. # Failed test 'Must be on the page with the pref on' # at t/db_dependent/selenium/authentication_2fa.t line 73. # 'Error 404 › Koha' # doesn't match '(?^u:Two-factor authentication)' -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #23 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 187962 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=187962&action=edit Bug 30724: Fix selenium tests - fix logic if no borrowernumber passed Then consider we want to edit the logged in user settings -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #24 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 187963 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=187963&action=edit Bug 30724: Fix selenium tests - wording -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #25 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 187964 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=187964&action=edit Bug 30724: Fix selenium tests - info => success class I don't think this is correct. We only want success after we enabled 2FA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #26 from Jonathan Druart <jonathan.druart@gmail.com> --- This third patch fixes the selenium tests but they are not correct IMO. We still need new tests to cover changes from this bug report. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #187962|0 |1 is obsolete| | Attachment #187963|0 |1 is obsolete| | Attachment #187964|0 |1 is obsolete| | --- Comment #27 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 188037 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=188037&action=edit Bug 30724: Fix selenium tests - fix logic if no borrowernumber passed Then consider we want to edit the logged in user settings Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #28 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 188038 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=188038&action=edit Bug 30724: Fix selenium tests - wording Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #29 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 188039 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=188039&action=edit Bug 30724: Fix selenium tests - info => success class I don't think this is correct. We only want success after we enabled 2FA Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com --- Comment #30 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- (In reply to Jonathan Druart from comment #25)
Created attachment 187964 [details] [review] Bug 30724: Fix selenium tests - info => success class
I don't think this is correct. We only want success after we enabled 2FA
I am not sure of the problem here - you check for alert-success - but only expect it not blank when 2FA enabled, unless I misread (In reply to Jonathan Druart from comment #26)
This third patch fixes the selenium tests but they are not correct IMO.
We still need new tests to cover changes from this bug report.
More tests are always good, opened bug 41038 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|additional_work_needed | --- Comment #31 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- follow-ups pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 --- Comment #32 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to Nick Clemens (kidclamp) from comment #30)
(In reply to Jonathan Druart from comment #25)
Created attachment 187964 [details] [review] [review] Bug 30724: Fix selenium tests - info => success class
I don't think this is correct. We only want success after we enabled 2FA
I am not sure of the problem here - you check for alert-success - but only expect it not blank when 2FA enabled, unless I misread
We want the alert-success class only after the form is submitted. When you go to members/two_factor_auth.pl?borrowernumber=51 and the 2FA is enabled it should be alert-info.
(In reply to Jonathan Druart from comment #26)
This third patch fixes the selenium tests but they are not correct IMO.
We still need new tests to cover changes from this bug report.
More tests are always good, opened bug 41038
It's not "always good", it's mandatory when it's auth and we have already tests covering the area ;) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |41038 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41038 [Bug 41038] Add more test coverage for bug 30724 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 Laura Escamilla <Laura.escamilla@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Laura.escamilla@bywatersolu | |tions.com Status|Pushed to main |Needs documenting --- Comment #33 from Laura Escamilla <Laura.escamilla@bywatersolutions.com> --- This is an enhancement and will not be backported to the 25.05.x branch. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org