WooCommerce shop_manager cannot setup TOTP for her user: 403 rest_forbidden for /wp-json/two-factor/1.0/totp #557
Description
Describe the bug
A user with role shop_manager is not able to setup TOTP, because the background network POST request to /wp-json/two-factor/1.0/totp fails with 403 Forbidden error. It works for a wordpress admin user. I tested on Live and Test server. As it works for the admin user, I am pretty sure it is not related to Apache but a capabilities or permission issue.
Any idea what capability is missing here?
Steps to Reproduce
Steps to reproduce:
- Log in with a user with role "shop_manager" (used in WooCommerce)
- Go to your profile at https://mysite.test/wp-admin/profile.php
- Activate TOTP and scan QR code with app like Authy
- Enter auth number (6 numbers) from authy to input and click on Submit
Actual results:
An error message is displayed saying:
Du bist leider nicht berechtigt, diese Aktion durchzuführen.
meaning something like "You are not allowed to perform this action" or "You do not have the permission for this".
Browser DevTools Tab shows a network POST to https://mysite.test/wp-json/two-factor/1.0/totp that fails with 403 forbidden:
{
"code": "rest_forbidden",
"message": "Du bist leider nicht berechtigt, diese Aktion durchzuf\u00fchren.",
"data": { "status": 403 }
}Expected results:
TOTP should work as for admin user. FWIW, it works also if the admin user sets up and saves TOTP for the shopmanager user.
Screenshots, screen recording, code snippet
No response
Environment information
WordPress, WooCommerce and Two Factor all with latest up-to-date versions.
From the WooCommerce status page:
### WordPress Environment ###
WC Version: 7.6.0
REST API Version: ✔ 7.6.0
WC Blocks Version: ✔ 9.8.4
Action Scheduler Version: ✔ 3.5.4
Log Directory Writable: ✔
WP Version: 6.2
WP Multisite: –
WP Memory Limit: 256 MB
WP Debug Mode: –
WP Cron: ✔
Language: de_DE
### Server Environment ###
Server Info: Apache/2.4.56 (Debian)
PHP Version: 8.1.17
PHP Post Max Size: 128 MB
PHP Time Limit: 600
PHP Max Input Vars: 1000
cURL Version: 7.74.0
OpenSSL/1.1.1n
SUHOSIN Installed: –
MySQL Version: 5.7.41
Max Upload Size: 128 MB
Default Timezone is UTC: ✔
fsockopen/cURL: ✔
SoapClient: ✔
DOMDocument: ✔
GZip: ✔
Multibyte String: ✔
Remote Post: ✔
Remote Get: ✔
### Active Plugins (26) ###
Polylang Pro: von WP SYNTEX – 3.3.3
Akismet Anti-Spam: Spam Protection: von Automattic - Anti Spam Team – 5.1
Classic Editor: von WordPress-Mitwirkende – 1.6.3
WooCommerce Clone Orders: von Vibe Agency – 1.5.7
DHL Shipping Germany for WooCommerce: von DHL – 3.3.0
Kadence Related Content: von Kadence WP – 1.0.10
Kadence Shop Kit: von Kadence WP – 2.0.17
MC4WP: Mailchimp for WordPress: von ibericode – 4.9.3
One Stop Shop für WooCommerce: von vendidero – 1.3.7
Polylang comments merging: von Frédéric Demarle – 0.3-dev
Polylang for WooCommerce: von WP SYNTEX – 1.7.2
Lazy Load - Optimize Images: von WP Rocket – 2.3.6
ShortPixel Image Optimizer: von ShortPixel - Convert WebP/AVIF & Optimize Images – 5.2.1
Two-Factor: von Mitwirkende – 0.8.1
Proxy Cache Purge: von Mika Epstein – 5.1.3
WooCommerce Stripe-Gateway: von WooCommerce – 7.3.0
Germanized für WooCommerce: von vendidero – 3.12.1
Advanced Order Export For WooCommerce (Pro): von AlgolPlus – 3.4.1
WooCommerce PayPal Payments: von WooCommerce – 2.0.4
PDF Invoices & Packing Slips for WooCommerce: von WP Overnight – 3.5.2
PDF Invoices & Packing Slips for WooCommerce - Professional: von WP Overnight – 2.14.1
WooCommerce Subscriptions: von WooCommerce – 5.0.1
WooCommerce: von Automattic – 7.6.0 (Update auf Version 7.6.1 ist verfügbar)
WP Overnight Sidekick: von WP Overnight – 2.5.1
wpSEO: von Kai Spriestersbach – 4.7.3
XML Sitemap & Google News: von RavanH – 5.3.3
### Inactive Plugins (2) ###
Bulletin Announcements: von Bulletin – 3.6.0
WP Mail SMTP: von WPForms – 3.7.0
Please confirm that you have searched existing issues in this repository.
Yes
Please confirm that you have tested with all plugins deactivated except Two-Factor.
Yes