Description
Module version(s) affected
5.2.4
Description
When viewing a member, at the bottom of their member screen on the backend it says whether they have MFA setup and when their recovery codes were created. However, for any user that has MFA setup, the recovery codes created date always shows as today.
For the above example, the date in the database was 25th May 2024.
How to reproduce
- Setup MFA for a user
- Manually change the Created date in the database to some time in the past (MFARegisteredMethod > SilverStripe\MFA\BackupCode\Method > Created)
- View that user in the Security area
- The created date for the recover codes will still be the current date
Possible Solution
There are two things wrong with this section in the admin.
Firstly, there is a typo which is why the date is always the current date.
Line 61 of src/FormField/RegisteredMFAMethodListField.php
'backupCreationDate' => $this->getBackupMethod()
backupCreationDate should be backupCreatedDate, as that is what the frontend code is expecting. This is causing the date to always show the current date.
Secondly, even when that is fixed, the backup method of the currently logged in user is being shown, not the user you are viewing.
Line 78 of src/FormField/RegisteredMFAMethodListField.php shows Security::getCurrentUser() being used whenever getBackupMethod() is called.
protected function getBackupMethod(): ?RegisteredMethod
{
$backupMethod = MethodRegistry::singleton()->getBackupMethod();
return RegisteredMethodManager::singleton()->getFromMember(Security::getCurrentUser(), $backupMethod);
}
I have a working solution here: gavynj@fbc9369#diff-84c429bec93f6d0c4a4cdd55997e8d496dc14b3cf61d27e0a7aad8325ed12638R61
Additional Context
No response
Validations
- Check that there isn't already an issue that reports the same bug
- Double check that your reproduction steps work in a fresh installation of
silverstripe/installer(with any code examples you've provided)