Merge pull request #27 from Automattic/add/PLTFRM-973-notice-admins

Show the MFA notice only for users with `manage_options` capabilities

Author: andrea-sdl

modules/highlight-mfa-users/class-highlight-mfa-users.php

@@ -55,6 +55,11 @@ public static function display_mfa_disabled_notice() {
 			return;
 		}
 
+		// Only show the notice to admins
+		if ( ! current_user_can( 'manage_options' ) ) {
+			return;
+		}
+
 		// Only show on the main users list table
 		$screen = get_current_screen();
 		if ( ! $screen || 'users' !== $screen->id ) {

tests/phpunit/test-highlight-mfa-users.php

@@ -63,7 +63,7 @@ public function setUp(): void {
 
 		// Set skipped users option
 		update_option( Highlight_MFA_Users::MFA_SKIP_USER_IDS_OPTION_KEY, [ $this->admin_user_mfa_skipped_id ] );
-
+		wp_set_current_user( $this->admin_user_mfa_enabled_id );
 		Highlight_MFA_Users::init();
 	}
 
@@ -85,7 +85,7 @@ public function tearDown(): void {
 		$_GET                      = $this->original_get;
 		$GLOBALS['current_screen'] = $this->original_current_screen;
 		unset( $GLOBALS['current_screen'] ); // Ensure it's fully removed if it wasn't set before
-
+		wp_set_current_user( 0 );
 		parent::tearDown();
 	}
 
@@ -195,6 +195,22 @@ public function test_filter_users_by_mfa_status_does_nothing_on_wrong_page() {
 		unset( $_GET['filter_mfa_disabled'] );
 	}
 
+
+	/**
+	 * Test that the admin notice is not displayed when we're an editor
+	 */
+	public function test_display_mfa_disabled_notice_does_not_show_when_not_admin() {
+		$this->set_admin_screen_users();
+		// Set a non-admin user
+		wp_set_current_user( $this->editor_user_id );
+
+		ob_start();
+		Highlight_MFA_Users::display_mfa_disabled_notice();
+		$output = ob_get_clean();
+
+		$this->assertEquals( '', $output );
+	}
+
 	/**
 	 * Test that the admin notice is displayed correctly when MFA-disabled admins exist.
 	 */