2fa does not work after update to v1.3.3

Question

2fa does not work after update to v1.3.3

btx opened this issue 4 years ago · comments

I've updated from v1.1.0 (django-otp pinned to v0.6.0) to v1.3.3 and 2fa stopped working.

I'm able to add 2fa device but on the next sign-in there's no OTP prompt and I get '403 Forbidden' when I go to 'MANAGE YOUR 2FA DEVICES' in my settings.

Michiel Bijland · Answer 1 · Fri Dec 06 2019 17:13:37 GMT+0800 (China Standard Time)

Hi btx,

I'm unable to replicate this bug.

Could you try if you get same error using the sandbox environment by using the command below and username and password from readme.rst

make sandbox

kind regards,
Michiel

Zdeněk Softić · Answer 2 · Mon Dec 09 2019 20:38:43 GMT+0800 (China Standard Time)

Hello Michiel,

thanks, sandbox works. I'll try to debug my project's installation/configuration in few days and I'll get back here if I find something worth sharing.

Zdeněk Softić · Answer 3 · Mon Dec 09 2019 21:21:04 GMT+0800 (China Standard Time)

I'm able to replicate it in the sandbox with WAGTAIL_2FA_REQUIRED = False.

Traceback (most recent call last):
  File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/django/core/handlers/base.py", line 115, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/wagtail/admin/urls/__init__.py", line 105, in wrapper
    return view_func(request, *args, **kwargs)
  File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/wagtail/admin/auth.py", line 167, in decorated_view
    return view_func(request, *args, **kwargs)
  File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/lib/python3.7/site-packages/django/views/generic/base.py", line 71, in view
    return self.dispatch(request, *args, **kwargs)
  File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/src/wagtail-2fa/src/wagtail_2fa/mixins.py", line 33, in dispatch
    return self.handle_no_permission(request)
  File "/Users/btx/Sites/virtualenvs/wagtail_2fa_debug/src/wagtail-2fa/src/wagtail_2fa/mixins.py", line 23, in handle_no_permission
    raise PermissionDenied
django.core.exceptions.PermissionDenied
[09/Dec/2019 13:18:25] "GET /cms/2fa/devices/1 HTTP/1.1" 403 22

Nicole Nisters · Answer 4 · Mon Dec 09 2019 21:31:54 GMT+0800 (China Standard Time)

Thanks for reporting this. I just managed to replicate this too, this also happens if the new VerifyUserPermissionsMiddleware is used, but the user is not in a group which has 2FA enabled.
I'm working on a fix now.