From ab4c69e0cc08c0b493378a4294efab51619ab402 Mon Sep 17 00:00:00 2001 From: Nic Bovee Date: Wed, 8 Apr 2026 14:20:31 -0600 Subject: [PATCH 1/5] Add a config setting to users. --- config/users.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/config/users.php b/config/users.php index 70e266eb280..568053b12a5 100644 --- a/config/users.php +++ b/config/users.php @@ -176,11 +176,24 @@ | Users may be required to reauthorize before performing certain | sensitive actions. This is called an elevated session. Here | you may configure the duration of the session in minutes. + | You may also disable the elevated session entirely. | */ 'elevated_session_duration' => 15, + /* + |-------------------------------------------------------------------------- + | Elevated Session Disabled + |-------------------------------------------------------------------------- + | + | Here you may disable elevated sessions entirely. This can be + | useful when using OAuth. + | + */ + + 'elevated_session_disabled' => false, + /* |-------------------------------------------------------------------------- | Two-Factor Authentication From 99e6da1c5d054a72a99d21250795ca0a7a57244b Mon Sep 17 00:00:00 2001 From: Nic Bovee Date: Wed, 8 Apr 2026 14:21:00 -0600 Subject: [PATCH 2/5] Disable in CP if elevated sessions are disabled in config. --- src/Http/Controllers/CP/CpController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Http/Controllers/CP/CpController.php b/src/Http/Controllers/CP/CpController.php index b7a65ed5f88..350f9475908 100644 --- a/src/Http/Controllers/CP/CpController.php +++ b/src/Http/Controllers/CP/CpController.php @@ -72,7 +72,7 @@ public function authorizeProIf($condition) public function requireElevatedSession(): void { - if (! request()->hasElevatedSession()) { + if (! config('statamic.users.elevated_session_disabled') && ! request()->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } } From 8b135cf7bfcae3c5fe7e531772cdb3f9ec07db2a Mon Sep 17 00:00:00 2001 From: Nic Bovee Date: Wed, 8 Apr 2026 14:21:06 -0600 Subject: [PATCH 3/5] Disable in middleware if elevated sessions are disabled in config. --- src/Http/Middleware/CP/RequireElevatedSession.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Http/Middleware/CP/RequireElevatedSession.php b/src/Http/Middleware/CP/RequireElevatedSession.php index cf493393a8a..efbcf859946 100644 --- a/src/Http/Middleware/CP/RequireElevatedSession.php +++ b/src/Http/Middleware/CP/RequireElevatedSession.php @@ -9,7 +9,7 @@ class RequireElevatedSession { public function handle($request, Closure $next) { - if (! $request->hasElevatedSession()) { + if (! config('statamic.users.elevated_session_disabled') && ! $request->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } From 386337dbc778ab825767f9e5031ceb7b5535ff26 Mon Sep 17 00:00:00 2001 From: Nic Bovee Date: Wed, 8 Apr 2026 14:43:23 -0600 Subject: [PATCH 4/5] Add tests to validate the disabled elevated session behavior. --- tests/Auth/ElevatedSessionTest.php | 41 +++++++++++++++++++++++++++ tests/Feature/Roles/StoreRoleTest.php | 20 +++++++++++++ 2 files changed, 61 insertions(+) diff --git a/tests/Auth/ElevatedSessionTest.php b/tests/Auth/ElevatedSessionTest.php index b90cd98dd92..22e5970cccb 100644 --- a/tests/Auth/ElevatedSessionTest.php +++ b/tests/Auth/ElevatedSessionTest.php @@ -300,6 +300,47 @@ public function middleware_denies_request_when_elevated_session_has_expired_via_ ->assertJson(['message' => __('Requires an elevated session.')]); } + #[Test] + public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled() + { + config(['statamic.users.elevated_session_disabled' => true]); + + $this->actingAs($this->user); + + $this + ->get('/requires-elevated-session') + ->assertOk() + ->assertSee('ok'); + } + + #[Test] + public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_even_if_session_expired() + { + config(['statamic.users.elevated_session_disabled' => true]); + + $this->actingAs($this->user); + + $this + ->withElevatedSession(now()->subMinutes(16)) + ->get('/requires-elevated-session') + ->assertOk() + ->assertSee('ok'); + } + + #[Test] + public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_via_json() + { + config(['statamic.users.elevated_session_disabled' => true]); + + $this->actingAs($this->user); + + $this + ->withElevatedSession(now()->subMinutes(16)) + ->getJson('/requires-elevated-session') + ->assertOk() + ->assertSee('ok'); + } + #[Test] public function the_session_is_elevated_upon_login() { diff --git a/tests/Feature/Roles/StoreRoleTest.php b/tests/Feature/Roles/StoreRoleTest.php index 999431e2b95..5beffbe2880 100644 --- a/tests/Feature/Roles/StoreRoleTest.php +++ b/tests/Feature/Roles/StoreRoleTest.php @@ -68,6 +68,26 @@ public function it_denies_access_without_active_elevated_session() ->assertRedirect('/cp/auth/confirm-password'); } + #[Test] + public function it_allows_storing_a_role_without_elevated_session_when_elevated_sessions_are_disabled() + { + config(['statamic.users.elevated_session_disabled' => true]); + + $this + ->actingAsUserWithPermissions(['edit roles']) + ->store([ + 'title' => 'No Elevated Session', + 'handle' => 'no_elevated_session', + 'permissions' => ['one', 'two'], + ]) + ->assertOk() + ->assertJson(['redirect' => cp_route('roles.index')]); + + $role = Role::find('no_elevated_session'); + $this->assertEquals('No Elevated Session', $role->title()); + $this->assertEquals(['one', 'two'], $role->permissions()->all()); + } + #[Test] public function it_stores_a_role() { From 5158dfe3a3578ca48ef5e0baa4246720f1d0924c Mon Sep 17 00:00:00 2001 From: Steven Grant Date: Fri, 10 Apr 2026 08:38:47 +1200 Subject: [PATCH 5/5] Rename config to elevated_sessions_enabled with true default. --- config/users.php | 6 +++--- src/Http/Controllers/CP/CpController.php | 2 +- src/Http/Middleware/CP/RequireElevatedSession.php | 2 +- tests/Auth/ElevatedSessionTest.php | 6 +++--- tests/Feature/Roles/StoreRoleTest.php | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/config/users.php b/config/users.php index 568053b12a5..541aa891378 100644 --- a/config/users.php +++ b/config/users.php @@ -187,12 +187,12 @@ | Elevated Session Disabled |-------------------------------------------------------------------------- | - | Here you may disable elevated sessions entirely. This can be - | useful when using OAuth. + | Here you may enable or disable elevated sessions. Disabling + | can be useful when using OAuth. | */ - 'elevated_session_disabled' => false, + 'elevated_sessions_enabled' => true, /* |-------------------------------------------------------------------------- diff --git a/src/Http/Controllers/CP/CpController.php b/src/Http/Controllers/CP/CpController.php index 350f9475908..322088251d9 100644 --- a/src/Http/Controllers/CP/CpController.php +++ b/src/Http/Controllers/CP/CpController.php @@ -72,7 +72,7 @@ public function authorizeProIf($condition) public function requireElevatedSession(): void { - if (! config('statamic.users.elevated_session_disabled') && ! request()->hasElevatedSession()) { + if (config('statamic.users.elevated_sessions_enabled') && ! request()->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } } diff --git a/src/Http/Middleware/CP/RequireElevatedSession.php b/src/Http/Middleware/CP/RequireElevatedSession.php index efbcf859946..5229f528e49 100644 --- a/src/Http/Middleware/CP/RequireElevatedSession.php +++ b/src/Http/Middleware/CP/RequireElevatedSession.php @@ -9,7 +9,7 @@ class RequireElevatedSession { public function handle($request, Closure $next) { - if (! config('statamic.users.elevated_session_disabled') && ! $request->hasElevatedSession()) { + if (config('statamic.users.elevated_sessions_enabled') && ! $request->hasElevatedSession()) { throw new ElevatedSessionAuthorizationException; } diff --git a/tests/Auth/ElevatedSessionTest.php b/tests/Auth/ElevatedSessionTest.php index 22e5970cccb..8b43f883d58 100644 --- a/tests/Auth/ElevatedSessionTest.php +++ b/tests/Auth/ElevatedSessionTest.php @@ -303,7 +303,7 @@ public function middleware_denies_request_when_elevated_session_has_expired_via_ #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled() { - config(['statamic.users.elevated_session_disabled' => true]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this->actingAs($this->user); @@ -316,7 +316,7 @@ public function middleware_does_not_require_elevated_session_when_elevated_sessi #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_even_if_session_expired() { - config(['statamic.users.elevated_session_disabled' => true]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this->actingAs($this->user); @@ -330,7 +330,7 @@ public function middleware_does_not_require_elevated_session_when_elevated_sessi #[Test] public function middleware_does_not_require_elevated_session_when_elevated_session_is_disabled_via_json() { - config(['statamic.users.elevated_session_disabled' => true]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this->actingAs($this->user); diff --git a/tests/Feature/Roles/StoreRoleTest.php b/tests/Feature/Roles/StoreRoleTest.php index 5beffbe2880..396afd96ebd 100644 --- a/tests/Feature/Roles/StoreRoleTest.php +++ b/tests/Feature/Roles/StoreRoleTest.php @@ -71,7 +71,7 @@ public function it_denies_access_without_active_elevated_session() #[Test] public function it_allows_storing_a_role_without_elevated_session_when_elevated_sessions_are_disabled() { - config(['statamic.users.elevated_session_disabled' => true]); + config(['statamic.users.elevated_sessions_enabled' => false]); $this ->actingAsUserWithPermissions(['edit roles'])