fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Uncaught Exception removing TOTP MFA as a user_support_manager in FusionAuth Admin UI.

Open LucasPMorris opened this issue 1 year ago • 0 comments

Uncaught Exception removing TOTP MFA as a user_support_manager in FusionAuth Admin UI

When a user_support_manager attempts to remove TTOP MFA from another user within the FusionAuth Admin UI, the UI displays a TOTP screen. Even if you have the code, the screen will go away and the browser will be awaiting input. One click more and you are back to the FusionAuth Admin UI.

Observed on 1.49.1, possible affects others.

Steps to reproduce the behavior:

  1. Create a user (ie UserA) in the Default Tenant
  2. Register them to the FusionAuth application with just the user_support_manager role.
  3. Create another user in a different Tenant and application that has MFA enabled or required (ie UserB).
  4. Log UserB into the application they are registered for and enable TOTP MFA. Logout.
  5. Log in to FusionAuth app as UserA.
  6. Navigate to Users->Select UserB and select the MultiFactor tab.
  7. Click the trash can icon next to the Authenticator MFA that was setup for UserB

When UserA attempts to delete UserB TOTP MFA method they should be provided with a 'not authorized' error, not TOTP request screen.

  • MacOS 14.2.1 (23C71)
  • Chrome 122.0.6261.112
  • MySQL 8.2

LucasPMorris avatar Mar 25 '24 23:03 LucasPMorris