-
-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: disallow users with 2FA enabled to access WebDAV #7097
base: main
Are you sure you want to change the base?
Conversation
WebDAV server doesn't validate 2FA. This makes 2FA useless to some extent. I think users with 2FA enabled shouldn't access webdav using only password. Although this can be manually solved by changing user permissions, Alist doesn't support to change permissions of admin. BREAKING CHANGE: Users with 2FA enabled will not be able to access WebDAV.
Thanks for opening this pull request! Please check out our contributing guidelines. |
The purpose of multi-factor authentication, in my opinion, is to protect administrative privileges and sensitive information stored in the backend, such as keys. I believe that forcibly disabling WebDAV is unacceptable. If the goal is to enhance security, the standard approach is to allow users to set a separate password for WebDAV. Currently, administrators can achieve this by creating a low-privileged, standalone account with a separate password as an alternative solution. |
I think the standard approach is to allow users to set a separate password for WebDAV, too.
But administrator's WebDAV access can't be disabled. It's hard-coded. So there is no way to let administrator set a separate password for WebDAV.
I think the storage is also sensitive information. After all it's a cloud drive, where can store a lot of private data. So I think WebDAV should not be accessed by users with 2FA enabled. Any access by any users (include admin and normal users) should fully satisfy their authentication configuration. They can create separate users with different (and more secure) password to access WebDAV. Maybe I should add an setting for this like the sign all feature? |
I have no right to decide if the changes in this PR can be merged. But adding a backend toggle or a configuration field is indeed a more acceptable solution for me. |
I suggest directly adding a separate password mechanism. I guess making this change won't be much harder than adding a button. |
WebDAV server doesn't validate 2FA. This makes 2FA useless to some extent. I think users with 2FA enabled shouldn't access webdav using only password. Although this can be manually solved by changing user permissions, Alist doesn't support to change permissions of admin.
BREAKING CHANGE: Users with 2FA enabled will not be able to access WebDAV.