Skip to content

Add config for disabling Elevated Sessions feature #14462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
nicbovee wants to merge 4 commits into from
Closed

Add config for disabling Elevated Sessions feature #14462

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ab4c69e
Add a config setting to users.
nicbovee Apr 8, 2026
99e6da1
Disable in CP if elevated sessions are disabled in config.
nicbovee Apr 8, 2026
8b135cf
Disable in middleware if elevated sessions are disabled in config.
nicbovee Apr 8, 2026
386337d
Add tests to validate the disabled elevated session behavior.
nicbovee Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions config/users.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,11 +176,24 @@
| Users may be required to reauthorize before performing certain
| sensitive actions. This is called an elevated session. Here
| you may configure the duration of the session in minutes.
| You may also disable the elevated session entirely.
|
*/

'elevated_session_duration' => 15,

/*
|--------------------------------------------------------------------------
| Elevated Session Disabled
|--------------------------------------------------------------------------
|
| Here you may disable elevated sessions entirely. This can be
| useful when using OAuth.
|
*/

'elevated_session_disabled' => false,

/*
|--------------------------------------------------------------------------
| Two-Factor Authentication
Expand Down
2 changes: 1 addition & 1 deletion src/Http/Controllers/CP/CpController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ public function authorizeProIf($condition)

public function requireElevatedSession(): void
{
if (! request()->hasElevatedSession()) {
if (! config('statamic.users.elevated_session_disabled') && ! request()->hasElevatedSession()) {
throw new ElevatedSessionAuthorizationException;
}
}
Expand Down
2 changes: 1 addition & 1 deletion src/Http/Middleware/CP/RequireElevatedSession.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ class RequireElevatedSession
{
public function handle($request, Closure $next)
{
if (! $request->hasElevatedSession()) {
if (! config('statamic.users.elevated_session_disabled') && ! $request->hasElevatedSession()) {
throw new ElevatedSessionAuthorizationException;
}

Expand Down
41 changes: 41 additions & 0 deletions tests/Auth/ElevatedSessionTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,47 @@ public function middleware_denies_request_when_elevated_session_has_expired_via_
->assertJson(['message' => __('Requires an elevated session.')]);
}

#[Test]
public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled()
{
config(['statamic.users.elevated_session_disabled' => true]);

$this->actingAs($this->user);

$this
->get('/requires-elevated-session')
->assertOk()
->assertSee('ok');
}

#[Test]
public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_even_if_session_expired()
{
config(['statamic.users.elevated_session_disabled' => true]);

$this->actingAs($this->user);

$this
->withElevatedSession(now()->subMinutes(16))
->get('/requires-elevated-session')
->assertOk()
->assertSee('ok');
}

#[Test]
public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_via_json()
{
config(['statamic.users.elevated_session_disabled' => true]);

$this->actingAs($this->user);

$this
->withElevatedSession(now()->subMinutes(16))
->getJson('/requires-elevated-session')
->assertOk()
->assertSee('ok');
}

#[Test]
public function the_session_is_elevated_upon_login()
{
Expand Down
20 changes: 20 additions & 0 deletions tests/Feature/Roles/StoreRoleTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,26 @@ public function it_denies_access_without_active_elevated_session()
->assertRedirect('/cp/auth/confirm-password');
}

#[Test]
public function it_allows_storing_a_role_without_elevated_session_when_elevated_sessions_are_disabled()
{
config(['statamic.users.elevated_session_disabled' => true]);

$this
->actingAsUserWithPermissions(['edit roles'])
->store([
'title' => 'No Elevated Session',
'handle' => 'no_elevated_session',
'permissions' => ['one', 'two'],
])
->assertOk()
->assertJson(['redirect' => cp_route('roles.index')]);

$role = Role::find('no_elevated_session');
$this->assertEquals('No Elevated Session', $role->title());
$this->assertEquals(['one', 'two'], $role->permissions()->all());
}

#[Test]
public function it_stores_a_role()
{
Expand Down
Loading