2fa does not work after update to v1.3.3
btx opened this issue · comments
I've updated from v1.1.0 (django-otp pinned to v0.6.0) to v1.3.3 and 2fa stopped working.
I'm able to add 2fa device but on the next sign-in there's no OTP prompt and I get '403 Forbidden' when I go to 'MANAGE YOUR 2FA DEVICES' in my settings.
Hi btx,
I'm unable to replicate this bug.
Could you try if you get same error using the sandbox environment by using the command below and username and password from readme.rst
make sandbox
kind regards,
Michiel
Hello Michiel,
thanks, sandbox works. I'll try to debug my project's installation/configuration in few days and I'll get back here if I find something worth sharing.
I'm able to replicate it in the sandbox with WAGTAIL_2FA_REQUIRED = False
.
Traceback (most recent call last):
File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/django/core/handlers/exception.py", line 34, in inner
response = get_response(request)
File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/django/core/handlers/base.py", line 115, in _get_response
response = self.process_exception_by_middleware(e, request)
File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/django/core/handlers/base.py", line 113, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/wagtail/admin/urls/__init__.py", line 105, in wrapper
return view_func(request, *args, **kwargs)
File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/wagtail/admin/auth.py", line 167, in decorated_view
return view_func(request, *args, **kwargs)
File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/django/views/generic/base.py", line 71, in view
return self.dispatch(request, *args, **kwargs)
File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/src/wagtail-2fa/src/wagtail_2fa/mixins.py", line 33, in dispatch
return self.handle_no_permission(request)
File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/src/wagtail-2fa/src/wagtail_2fa/mixins.py", line 23, in handle_no_permission
raise PermissionDenied
django.core.exceptions.PermissionDenied
[09/Dec/2019 13:18:25] "GET /cms/2fa/devices/1 HTTP/1.1" 403 22
Thanks for reporting this. I just managed to replicate this too, this also happens if the new VerifyUserPermissionsMiddleware
is used, but the user is not in a group which has 2FA enabled.
I'm working on a fix now.