Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add method to disable an individual provider #587

Merged
merged 2 commits into from
Sep 7, 2023
Merged

Conversation

iandunn
Copy link
Member

@iandunn iandunn commented Aug 31, 2023

What?

Adds a Two_Factor_Core::disable_provider_for_user() method.

Why?

This provides parity with the Two_Factor_Core::enable_provider_for_user() method. It's not currently used by Two Factor itself, but it allows plugins to disable an individual provider directly, rather than having to know the internals and update meta keys, etc.

One example use case for that is WordPress/wporg-two-factor#223 (review), where a custom front-end UI was developed in React, using REST API endpoints.

Fixes #585

Testing Instructions

  1. Enable a provider via wp-admin/profile.php and save
  2. Add the following code in an mu-plugin. Replace the name of the provider with one you enabled.
    add_action( 'init', function() {
    Two_Factor_Core::disable_provider_for_user( get_current_user_id(), 'Two_Factor_Dummy' );
    } );
  3. Refresh profile.php and see that the provider has been disabled. If another provider was enabled, it should now be set as the primary provider.

Changelog Entry

Added - New Two_Factor_Core::disable_provider_for_user() method provides parity with the Two_Factor_Core::enable_provider_for_user() method. It allows plugins to disable an individual provider directly, rather than having to know the internals and update meta keys, etc.

@iandunn iandunn self-assigned this Aug 31, 2023
@iandunn iandunn changed the title Disable provider Add method to disable an individual provider Aug 31, 2023
@jeffpaul jeffpaul added this to the 0.9.0 milestone Sep 1, 2023
@iandunn iandunn marked this pull request as ready for review September 1, 2023 23:02
@iandunn iandunn requested a review from kasparsd September 1, 2023 23:03
@iandunn iandunn requested a review from pkevan September 5, 2023 21:46
Copy link
Contributor

@pkevan pkevan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to add some kind of caps check here to avoid a users' provider being disabled just by values being arbitrarily passed?

Not sure if this is covered by any of the other functions used, but probably worth noting if they are.

@iandunn
Copy link
Member Author

iandunn commented Sep 6, 2023

🤔 There shouldn't be any ways for a malicious user to pass arbitrary values. This function isn't called by anything in Two Factor right now, it only exists to make things easier for plugins.

The companion function is used in Two Factor, but in all of those cases it's called from a REST API handler, which have permission_callback functions defined (example).

I added a comment in e84e061 for clarity.

@iandunn iandunn merged commit 2b0d9bc into master Sep 7, 2023
@kasparsd kasparsd mentioned this pull request Apr 23, 2024
@jeffpaul jeffpaul deleted the disable_provider branch May 8, 2024 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Implement Disable Provider method
3 participants