Comments (3)
Hi, thanks for reaching out! At the moment MFA is only implemented for the Control Panel requests, so it should only be enabled for the users who have access to the Control Panel.
That being said, we are working on a front-end solution!
from cms.
Hi, I've come across this for a site I'm working on.
Adding this Event hook removes the issue with the template load
Event::on(Auth::class, Auth::EVENT_REGISTER_METHODS, function (RegisterComponentTypesEvent $event) {
if(!Craft::$app->getRequest()->getIsCpRequest()) {
// remove all types for FE requests
$event->types = [];
}
});
However if a user logs in to the front end they can then access the control panel (e.g. by entering the url), without the extra MFA step.
we are working on a front-end solution!
Are you able to share what your approach is going to be or a roadmap for front end MFA?
I don't need front end MFA (yet) but would be good to still have the security on the back end if a user logs in.
Many thanks
from cms.
🚨 This part is worth stressing, for anyone else coming across the thread!
However if a user logs in to the front end they can then access the control panel (e.g. by entering the url), without the extra MFA step.
Whether or not Craft treats a request as a “site request” is unrelated to the authenticating user’s permissions! A user with access to the control panel could very well sign in via a front-end login form and bypass auth checks.
The “correct” way to avoid MFA for front-end users I believe would be to place these users in groups that don't overlap with those that grant CP access or require MFA—either that, or check the authenticating user’s permissions prior to removing MFA methods.
from cms.
Related Issues (20)
- [4.x]: Incorrect ID assignment for current revision makes page uneditable HOT 3
- [5.x]: Fields / labels wrapping in inline editable mode HOT 3
- [4.x]: URL passthrough rewrite failing when using actionInput
- [5.x]: Related to `field` not working on custom field handle HOT 1
- [5.x]: Breaking change in `UrlHelper::isAbsoluteUrl()` HOT 1
- [5.x]: Nested element chip title turns white on card focus/select HOT 1
- [4.9.4]: Autosave draft looping in combination with Neo in a multisite environment HOT 3
- [5.1.4]: Sticky scrollbar stops working when switching between sources HOT 1
- [4.9.4]: project-config rebuild and apply error: unknown methode HOT 1
- [5.x]: Filesystem not showing up in "Assets" Field-Type Sources-Dropdown HOT 1
- [5.x]: Not possible to select Entry as type in Selectable Entries Condition HOT 2
- [5.x]: failed to apply m230617_070415_entrify_matrix_blocks HOT 4
- [5.x]: Native attribute don't show up in the field layout editor when a tab is deleted
- [5.1.5]: Very noticeable slowdown in element indexes introduced in 5.1.5 HOT 6
- [5.x]: HTML IDs should be allowed to begin with a number
- [5.x]: Introspection schema tripled in size
- [5.x]: Modified matrix entries don't get updated after adding or deleting an entry to the matrix
- [5.x]: Setting unknown property: craft\elements\Category::COUNT(*) HOT 2
- [5.x]: Give some in-between merging of fields help
- [5.x]: upgrading from 4.9.5 to 5 with ckeditor 3.8.3: requirements could not be resolver
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cms.