2FA User Permissions Bug

  • Resolved mattybrook

    (@mattybrook)


    1 year, 8 months ago

    Hello, Ive discovered a bug with the WordFence 2FA user permissions.

    On our site we have a specific role for our users, which they should be able to reset another user’s grace period for activating their 2FA codes

    However while this button displays on a user profile, they get an error saying they cannot the grace period

    If enable the user permission ‘wf2fa_manage_settings’ then they are now able to use the button.

    However this permission also grants the ability to Login Security Settings. Which we cannot allow as this gives them the ability to manage which roles require 2FA (which means they can effectively disable it).

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @mattybrook, thank-you for your message about this.

    I’ve spoken to the team about your observations. If the user doesn’t have access to wf2fa_manage_settings, they shouldn’t see that option. The behavior where they’re unable to reset the grace period for other users without that permission is as intended, however.

    As these users have higher permissions than usual (as site users won’t see/edit other user accounts by default), but not high enough to manage the overall settings of Wordfence, that is why the option is showing despite their inability to change the value.

    We will treat this as a feature request to alter that feature’s visibility, add more specific permissions to separate the option seen here from the Login Security settings access. I can’t speculate here on the forums about delivery timescales or when it may be considered during a plugin update cycle.

    Many thanks,
    Peter.

    Thread Starter mattybrook

    (@mattybrook)

    Hi Peter,

    Apologies for the delay in response here.

    Thanks for clarification with the 2FA permission settings.

    Regarding the feature request you mentioned, while I appreciate you cannot give any time estimates. Does WordFence provide a list of future updates to come, so we can keep track of the status of this.

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘2FA User Permissions Bug’ is closed to new replies.