Skip to content

[5.x] Always allow the captive page and captive.validate task even with PW reset requested #46247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
richard67 merged 8 commits into from
Nov 1, 2025
Merged

[5.x] Always allow the captive page and captive.validate task even with PW reset requested #46247

richard67 merged 8 commits into from
Nov 1, 2025

Conversation

@zero-24
Copy link
Contributor

@zero-24 zero-24 commented Oct 7, 2025

Summary of Changes

Always allow the captive page and captive.validate task even with PW reset requested. I'm not 100% sure whether its a good way to put the code here but on the first look it looks ok and fixes the issue.

Testing Instructions

  • Install 5.4.0rc2
  • create secondary user within the "administrator" group
  • force the user to reset his PW and set an inital PW
  • force the administrator group to setup mfa (Users -> Manage -> Options -> Multi-factor Authentication)
  • login with that secondary user
  • setup mfa
  • try to do the next step

Actual result BEFORE applying this Pull Request

endless loop as joomla wants you to fill the captive page and reset your PW at the same time

Expected result AFTER applying this Pull Request

first joomla will allow you to fill the mfa captcha after that it will force you to reset your PW.

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

richard67
richard67 reviewed Oct 8, 2025
View reviewed changes
@richard67 richard67 added the bug label Oct 8, 2025
@muhme
Copy link
Contributor

muhme commented Oct 31, 2025
edited
Loading

I have tested with 5.4-dev this item ✅ successfully on afec998

* Saw the problem 'The page isn’t redirecting properly'

  • (Restarting the web server or browser was not enough to get rid of the redirect, I solved by using another browser)
  • Applied the PR with Patch Tester, login with password, set-up 2nd factor and reset password is possible now, logout and login again successfully with booth users
  • Created 3rd Administrator user without forces password to be reset -> forced to set-up Multi-Factor, logout, login again with password and passkey, logout and login with passkey and password
  • Created 4th user editor and logged in on frontend
    This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

@exlemor
Copy link

exlemor commented Oct 31, 2025

I have tested this item ✅ successfully on afec998

I have successfully tested this! Thanks @zero-24, I would never have found this bug - great job that you did!

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

@muhme
Copy link
Contributor

muhme commented Oct 31, 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Oct 31, 2025
@joomdonation
Copy link
Contributor

joomdonation commented Oct 31, 2025

I haven't had a chance to check the details yet, but maybe we should check to see why we could not use existing code to bypass password reset check for these pages?

@muhme muhme added Updates Requested Indicates that this pull request needs an update from the author and should not be tested. and removed RTC This Pull Request is Ready To Commit labels Oct 31, 2025
@richard67 richard67 removed the Updates Requested Indicates that this pull request needs an update from the author and should not be tested. label Oct 31, 2025
@richard67
Copy link
Member

richard67 commented Oct 31, 2025

Back to pending. @zero-24 Could you check @joomdonation 's suggestion?

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

@richard67 richard67 added the Updates Requested Indicates that this pull request needs an update from the author and should not be tested. label Oct 31, 2025
@zero-24
Copy link
Contributor Author

zero-24 commented Oct 31, 2025

I have just tested and implemented the requested changes from @joomdonation Looks like the Backend was not tested when the PR was introduced and by that the task was missing and the view was an invalid view that we dont have within com_users, both fixed now.

@richard67
Copy link
Member

richard67 commented Oct 31, 2025

@muhme @exlemor Could you test again with the latest change when you find some time? Thanks in advance.

@richard67 richard67 removed the Updates Requested Indicates that this pull request needs an update from the author and should not be tested. label Oct 31, 2025
@exlemor
Copy link

exlemor commented Oct 31, 2025

I have tested this item ✅ successfully on 88d9350

I have re-tested this PR successfully. Thanks @zero-24.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

@muhme
Copy link
Contributor

muhme commented Nov 1, 2025

I have tested this item ✅ successfully on 88d9350

Retested with JBT and graft PRs full package, used Passkey as second factor, on backend and frontend

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

@muhme
Copy link
Contributor

muhme commented Nov 1, 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46247.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Nov 1, 2025
@zero-24
Copy link
Contributor Author

zero-24 commented Nov 1, 2025

Thanks to the testers and @joomdonation for the tip with that array 👍

@joomdonation
Copy link
Contributor

joomdonation commented Nov 1, 2025

Thanks to the testers and @joomdonation for the tip with that array 👍

Thanks for checking the suggestion and fixing the issue in the right way.

@richard67 richard67 added this to the Joomla! 5.4.1 milestone Nov 1, 2025
@richard67 richard67 merged commit d4be2a6 into joomla:5.4-dev Nov 1, 2025
61 checks passed
@joomla-cms-bot joomla-cms-bot removed the RTC This Pull Request is Ready To Commit label Nov 1, 2025
@richard67
Copy link
Member

richard67 commented Nov 1, 2025

Thanks @zero-24 for that bug fix, @joomdonation for the suggested changes, and @exlemor and @muhme for testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@richard67 richard67 richard67 left review comments

Assignees

No one assigned

Labels

bug PR-5.4-dev

Projects

None yet

Milestone

Joomla! 5.4.1

Development

Successfully merging this pull request may close these issues.

6 participants

@zero-24 @muhme @exlemor @joomdonation @richard67 @joomla-cms-bot