[6.1] Allow to force or never force MFA for superusers

[zero-24]

Summary of Changes

Allow to force or never force MFA for superusers too.

Testing Instructions

Go to Users -> Manage -> Options -> Multi-factor Authentication
Check the options "Disable Multi-factor Authentication" and "Enforce Multi-factor Authentication"

Actual result BEFORE applying this Pull Request

Its not possible to force or never force MFA for superusers

Expected result AFTER applying this Pull Request

It is possible to force or never force MFA for superusers

Link to documentations

Please select:

• Documentation link for docs.joomla.org:

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

Requested changes have been implemented.

[richard67]

Hmm, not sure if it is a new feature which would have to go into 6.1-dev.

[zero-24]

Done @richard67

[ceford]

I can see that Super Users appears in each of the dropdown lists. Can you explain what happens if I select both? Will I lock myself out? Does the wording of the inline description need adjustment?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46248.}

[zero-24]

I can see that Super Users appears in each of the dropdown lists. Can you explain what happens if I select both? Will I lock myself out? Does the wording of the inline description need adjustment?

Good question i have not changed the code so the same will happen when you select both Administrator.

If anything you will not lock you self as that only makes sure that its forced that you have to setup 2FA or not. But in the end it will always be a binary decision.

This is the code so when i understand this correctly than forceing 2FA will win:

joomla-cms/libraries/src/Application/MultiFactorAuthenticationHandler.php

Lines 100 to 114 in d4be2a6

	$neverMFAUserGroups = $userOptions->get('neverMFAUserGroups', []);
	$forceMFAUserGroups = $userOptions->get('forceMFAUserGroups', []);
	$isMFADisallowed = \count(
	array_intersect(
	\is_array($neverMFAUserGroups) ? $neverMFAUserGroups : [],
	$user->getAuthorisedGroups()
	)
	) >= 1;
	$isMFAMandatory = \count(
	array_intersect(
	\is_array($forceMFAUserGroups) ? $forceMFAUserGroups : [],
	$user->getAuthorisedGroups()
	)
	) >= 1;
	$isMFADisallowed = $isMFADisallowed && !$isMFAMandatory;

[tecpromotion]

Thanks @zero-24

[tecpromotion]

I have tested this item ✅ successfully on 34b30b7

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46248.}

[muhme]

I have tested this item ✅ successfully on 34b30b7

Tested with JBT on currect 6.1-dev

• Checked before Superusers is not selectable in "Disable Multi-factor Authentication" and "Enforce Multi-factor Authentication"
• Applied PR with Pat h Tester
• Tested 'Disable Multi-factor Authentication' Super Users is selectable and saveable
• Enforce Multi-factor Authentication Super Users is selectable and saveable
  • Multifactore authentication is needed and working on next login

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46248.}

[richard67]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46248.}

[HLeithner]

thanks