WooCommerce shop_manager cannot setup TOTP for her user: 403 rest_forbidden for /wp-json/two-factor/1.0/totp

[gerdneuman]

Describe the bug

A user with role shop_manager is not able to setup TOTP, because the background network POST request to /wp-json/two-factor/1.0/totp fails with 403 Forbidden error. It works for a wordpress admin user. I tested on Live and Test server. As it works for the admin user, I am pretty sure it is not related to Apache but a capabilities or permission issue.

Any idea what capability is missing here?

Steps to Reproduce

Steps to reproduce:

1. Log in with a user with role "shop_manager" (used in WooCommerce)
2. Go to your profile at https://mysite.test/wp-admin/profile.php
3. Activate TOTP and scan QR code with app like Authy
4. Enter auth number (6 numbers) from authy to input and click on Submit

Actual results:

An error message is displayed saying:

Du bist leider nicht berechtigt, diese Aktion durchzuführen.
meaning something like "You are not allowed to perform this action" or "You do not have the permission for this".

Browser DevTools Tab shows a network POST to https://mysite.test/wp-json/two-factor/1.0/totp that fails with 403 forbidden:

{
  "code": "rest_forbidden",
  "message": "Du bist leider nicht berechtigt, diese Aktion durchzuf\u00fchren.",
  "data": { "status": 403 }
}

Expected results:

TOTP should work as for admin user. FWIW, it works also if the admin user sets up and saves TOTP for the shopmanager user.

Screenshots, screen recording, code snippet

No response

Environment information

WordPress, WooCommerce and Two Factor all with latest up-to-date versions.

From the WooCommerce status page:

### WordPress Environment ###

WC Version: 7.6.0
REST API Version: ✔ 7.6.0
WC Blocks Version: ✔ 9.8.4
Action Scheduler Version: ✔ 3.5.4
Log Directory Writable: ✔
WP Version: 6.2
WP Multisite: –
WP Memory Limit: 256 MB
WP Debug Mode: –
WP Cron: ✔
Language: de_DE

### Server Environment ###

Server Info: Apache/2.4.56 (Debian)
PHP Version: 8.1.17
PHP Post Max Size: 128 MB
PHP Time Limit: 600
PHP Max Input Vars: 1000
cURL Version: 7.74.0
OpenSSL/1.1.1n

SUHOSIN Installed: –
MySQL Version: 5.7.41
Max Upload Size: 128 MB
Default Timezone is UTC: ✔
fsockopen/cURL: ✔
SoapClient: ✔
DOMDocument: ✔
GZip: ✔
Multibyte String: ✔
Remote Post: ✔
Remote Get: ✔

### Active Plugins (26) ###

Polylang Pro: von WP SYNTEX – 3.3.3
Akismet Anti-Spam: Spam Protection: von Automattic - Anti Spam Team – 5.1
Classic Editor: von WordPress-Mitwirkende – 1.6.3
WooCommerce Clone Orders: von Vibe Agency – 1.5.7
DHL Shipping Germany for WooCommerce: von DHL – 3.3.0
Kadence Related Content: von Kadence WP – 1.0.10
Kadence Shop Kit: von Kadence WP – 2.0.17
MC4WP: Mailchimp for WordPress: von ibericode – 4.9.3
One Stop Shop für WooCommerce: von vendidero – 1.3.7
Polylang comments merging: von Frédéric Demarle – 0.3-dev
Polylang for WooCommerce: von WP SYNTEX – 1.7.2
Lazy Load - Optimize Images: von WP Rocket – 2.3.6
ShortPixel Image Optimizer: von ShortPixel - Convert WebP/AVIF & Optimize Images – 5.2.1
Two-Factor: von Mitwirkende – 0.8.1
Proxy Cache Purge: von Mika Epstein – 5.1.3
WooCommerce Stripe-Gateway: von WooCommerce – 7.3.0
Germanized für WooCommerce: von vendidero – 3.12.1
Advanced Order Export For WooCommerce (Pro): von AlgolPlus – 3.4.1
WooCommerce PayPal Payments: von WooCommerce – 2.0.4
PDF Invoices & Packing Slips for WooCommerce: von WP Overnight – 3.5.2
PDF Invoices & Packing Slips for WooCommerce - Professional: von WP Overnight – 2.14.1
WooCommerce Subscriptions: von WooCommerce – 5.0.1
WooCommerce: von Automattic – 7.6.0 (Update auf Version 7.6.1 ist verfügbar)
WP Overnight Sidekick: von WP Overnight – 2.5.1
wpSEO: von Kai Spriestersbach – 4.7.3
XML Sitemap & Google News: von RavanH – 5.3.3

### Inactive Plugins (2) ###

Bulletin Announcements: von Bulletin – 3.6.0
WP Mail SMTP: von WPForms – 3.7.0

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes

[gerdneuman]

Via https://woocommerce.com/document/roles-capabilities/#section-2 I found a list of all the capabilities assigned to the Shop Manager role at https://github.com/woocommerce/woocommerce/blob/ee01d4219282387c2975ef4594677453c1dd7a0e/includes/class-wc-install.php#L1052

Not sure what is missing for /wp-json/two-factor/1.0/totp ?

[dd32]

Thanks for reporting this issue @gerdneuman

The capability that I believe the user is missing is edit_user. WordPress automatically grants this for all users to be able to edit themselves. It uses a non-strict check, such that "123" == 123 is truthful.

It looks like WooCommerce overrides this edit_user capability check with some additional checks to allow editing customer accounts, but also uses a strict $user_id check for the current user, and so I believe that this plugin is passing the $user_id as a string, which fails the WooCommerce checks.

Huh, confirmed.. but it's not a string. It's a float. The rest api forces it into a numeric format, but uses a float for IIRC greater value range on some servers. (float) 123 === (int) 123 is fase, as the data-types are not the same.

Ways forward:

• Explicitly cast the floats to int in Two-factor.
• Update WooCommerce to use a non-strict comparator, matching what WordPress core does.
• Both of the above.

This affects Backup/Recovery Codes and TOTP.