Issue #3487347 by rosk0, cmlara: Admin cannot disable TFA for a user

Co-authored-by: Kirill Roskolii <35789-RoSk0@users.noreply.drupalcode.org>

Issue #3487347 by rosk0, cmlara: Admin cannot disable TFA for a user
0b51e685 · Conrad Lara · 96fe336f · 0b51e685 · 0b51e685
Commit 0b51e685 authored 4 months ago by Conrad Lara
--- a/src/Controller/TfaLoginController.php
+++ b/src/Controller/TfaLoginController.php
@@ -92,6 +92,7 @@ final class TfaLoginController {
   */
  public function accessSelfOrAdmin(RouteMatchInterface $route, AccountInterface $account): AccessResult {
    $target_user = $route->getParameter('user');
+    $permission = $route->getRouteObject()?->getOption('_tfa_permission');

    // Start with a positive access result that can be cached based on the
    // current route, which includes both route name and parameters.
@@ -131,6 +132,18 @@ final class TfaLoginController {
    }

    $is_admin = $account->hasPermission('administer tfa for other users');
+
+    // Permission might not be there only on the "tfa.entry" route. Otherwise,
+    // must be present.
+    if ($is_self && isset($permission)) {
+      if (is_string($permission)) {
+        return $access->andIf(AccessResult::allowedIf($target_user->hasPermission($permission)));
+      }
+      else {
+        throw new \InvalidArgumentException('The "permission" parameter must be a string.');
+      }
+    }
+
    $is_self_or_admin = AccessResult::allowedIf($is_self || $is_admin);

    return $access->andIf($is_self_or_admin);

--- a/tfa.routing.yml
+++ b/tfa.routing.yml
@@ -38,9 +38,9 @@ tfa.overview:
    _title: 'TFA'
  requirements:
    _custom_access: '\Drupal\tfa\Controller\TfaLoginController::accessSelfOrAdmin'
-    _permission: 'setup own tfa'
  options:
    _admin_route: TRUE
+    _tfa_permission: 'setup own tfa'

 tfa.validation.setup:
  path: '/user/{user}/security/tfa/{method}'
@@ -49,9 +49,9 @@ tfa.validation.setup:
    _title: 'TFA setup'
  requirements:
    _custom_access: '\Drupal\tfa\Controller\TfaLoginController::accessSelfOrAdmin'
-    _permission: 'setup own tfa'
  options:
    _admin_route: TRUE
+    _tfa_permission: 'setup own tfa'

 tfa.disable:
  path: '/user/{user}/security/tfa/disable'
@@ -60,10 +60,10 @@ tfa.disable:
    _title: 'TFA disable'
  requirements:
    _custom_access: '\Drupal\tfa\Controller\TfaLoginController::accessSelfOrAdmin'
-    _permission: 'disable own tfa'
    user: \d+
  options:
    _admin_route: TRUE
+    _tfa_permission: 'disable own tfa'

 tfa.plugin.reset:
  path: '/user/{user}/security/tfa/{method}/{reset}'
@@ -72,6 +72,6 @@ tfa.plugin.reset:
    _title: 'TFA setup'
  requirements:
    _custom_access: '\Drupal\tfa\Controller\TfaLoginController::accessSelfOrAdmin'
-    _permission: 'setup own tfa'
  options:
    _admin_route: TRUE
+    _tfa_permission: 'setup own tfa'