twofactor_totp
twofactor_totp copied to clipboard
nextcloud
Limit to Groups still displays TOTP second-factor auth in all users' settings
When the App is limited to specific groups, the security settings page of all users still shows the option:
TOTP second-factor auth [ ] Enable TOTP
Checking the checkbox on an account not in any enabled group results in a reload and automatic unchecking.
Steps to reproduce:
- as admin user goto Apps -> Security and enable 'Two Factor TOTP Provider'
- Goto Apps -> Enabled apps
- find 'Two Factor TOTP Provider'
- check 'limit to groups', choose group 'admin'
- Login as normal user
- Goto settings -> security page
- scroll down, find 'TOTP second-factor auth' and click 'Enable TOTP'
This might not be a big problem in a private setting, however in a corporate environment that leads to irritated users calling for support.
Does this only affect TOTP or do other apps load as well even though they are just enabled for a specific group. Could you please check? Thanks.
I tested the 'Two Factor U2F' App. It seems to have the same problem. Except here I get an error: "Cannot read property 'appId' of undefined" when clicking on 'Add U2F device'. So maybe it's not an App issue, but a core problem?
So maybe it's not an App issue, but a core problem?
Smells like one, yes. Would you mind opening a ticket in the server repo at https://github.com/nextcloud/server/issues/new? If it's indeed a server issue we should look into that.
Thanks a lot for reporting this!
This actually might be an issue with the settings pages. @blizzz is it possible that we're showing settings sections for all apps, not just the ones that are enabled for a user?
@ChristophWurst i expect the settings class won't be loaded when the app is not. I did not try to reproduce it yet.
Okay, no worries. I'll try to find some time next week to give this a test run. Thanks for your input.