Dashboard
Issue Tracker
Change Log
Register
Login
View Issue Detail
ID
Project
Category
Submitted / Last Updated
02327
UserSpice
Triage
2026-04-15 00:38:21
Reported
Espresso Dan
Assigned To
Unassigned
Priority
none
Reported
6.0.6
Status
new
Resolution Version and Commit
Summary
TFA breaks cloaking
Description
Recent updates have introduced a conflict between TFA and cloaking. When cloaking, `totp_enforcement.php` enforces TOTP for the account being cloaked into. Although this is consistent with the general security model, it may conflict with the intended use of the cloaking privilege for some scenarios. As a basic resolution, the logic in `handleTotpRedirects()` could be wrapped in a check to determine whether an administrator is cloaking in, and, as a safeguard, whether that administrator is permitted to cloak: ```php if (!isset($_SESSION['cloak_from']) && fetchUser($_SESSION['cloak_from'])->cloak_allowed != 1) { .....[current logic around line 240].... } ``` However, this makes an assumption around how an administrator may want cloaking to function on their site. A better approach would be to add an additional option in user management alongside “Is allowed to cloak”, such as “Cloak must honour TOTP”. This would provide finer control over cloaking permissions, allowing an administrator to permit some cloaking users to bypass TOTP while requiring others to comply with TOTP. In future, it may also be useful to provide more granular cloaking controls to define which accounts a cloaking user can cloak into. I may implement this in future and provide it as a feature update if I do.