SudoModeService check failed response is ambiguous. #609
Description
Module version(s) affected
5.4
Description
AdminRegistrationController::startRegistration() performs a sudo mode check.
However when this fails the response is Invalid session. Please refresh and try again.
That's not really a helpful response message when the check is all around sudo mode
Please refresh may fix it, but then you might get the message again if you didn't enable sudo mode at all
How to reproduce
I tried to enable MFA on a user that already existing on a site.
- Set
SS_MFA_SECRET_KEY="foobar" - Set up an additional user (
User2) (follow all sign up processes, enable MFA on other user etc) - Log out of all users
- Simulate a hosting platform change that looses the
SS_MFA_SECRET_KEYby fully commenting it out of your .env and clearing all caches - Attempt to log in as
User2– MFA failure should happen – expectingThis authentication method is unavailable - Now log in as the admin account that doesn't have MFA.
- Navigate to user security area
- Do not action the
sudo mode - Attempt to edit the details on the
User2around MFA and save - Expecting to see
Invalid session. Please refresh and try again.
Possible Solution
Update message to mention sudo mode.
Additional Context
No response
Validations
- Check that there isn't already an issue that reports the same bug
- Double check that your reproduction steps work in a fresh installation of
silverstripe/installer(with any code examples you've provided)