Show the MFA notice only for users with manage_options capabilities#27
Merged
andrea-sdl merged 3 commits intoproductionfrom Jun 9, 2025
Merged
Show the MFA notice only for users with manage_options capabilities#27andrea-sdl merged 3 commits intoproductionfrom
manage_options capabilities#27andrea-sdl merged 3 commits intoproductionfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR restricts the display of the MFA notice to only users with the "manage_options" capability, ensuring that subscribers or non-admin users are not confused by seeing an inapplicable notice.
- Updated the logic in Highlight_MFA_Users::display_mfa_disabled_notice() to check for admin capabilities.
- Added a new PHPUnit test (test_display_mfa_disabled_notice_does_not_show_when_not_admin) to verify that non-admin users do not see the notice.
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| tests/phpunit/test-highlight-mfa-users.php | Added test for non-admin behaviour and updated current user reset in tearDown. |
| modules/highlight-mfa-users/class-highlight-mfa-users.php | Implemented a capability check to display the MFA notice only for admins. |
Comments suppressed due to low confidence (1)
tests/phpunit/test-highlight-mfa-users.php:199
- The doc comment for test_display_mfa_disabled_notice_does_not_show_when_not_admin() should clearly indicate that it verifies the notice is not shown for non-admin users. Consider updating the comment to accurately reflect the test scenario.
/** Test that the admin notice is displayed correctly when MFA-disabled admins exist.
brunobasto
reviewed
Jun 9, 2025
|
|
||
|
|
||
| /** | ||
| * Test that the admin notice is displayed correctly when MFA-disabled admins exist. |
Contributor
There was a problem hiding this comment.
Minor: I think you meant "when the user is not an admin" since we're testing with the editor role here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Currently, the Highlight MFA module is displaying the notice for every user landing on the user list.
This could create confusion because that's not something that every user (think subscribers) can act upon.
This PR changes the logic so that we will show the notice only if the logged in user has
manage_optionscapabilities.Changelog Description
Added
manage_optionscapabilities ("admins")Pre-review checklist
Please make sure the items below have been covered before requesting a review:
Pre-deploy checklist
Steps to Test