Automattic · andrea-sdl · Jun 9, 2025 · Jun 6, 2025 · Jun 6, 2025 · Jun 9, 2025
diff --git a/modules/highlight-mfa-users/class-highlight-mfa-users.php b/modules/highlight-mfa-users/class-highlight-mfa-users.php
@@ -55,6 +55,11 @@ public static function display_mfa_disabled_notice() {
 			return;
 		}
 
+		// Only show the notice to admins
+		if ( ! current_user_can( 'manage_options' ) ) {
+			return;
+		}
+
 		// Only show on the main users list table
 		$screen = get_current_screen();
 		if ( ! $screen || 'users' !== $screen->id ) {

diff --git a/tests/phpunit/test-highlight-mfa-users.php b/tests/phpunit/test-highlight-mfa-users.php
@@ -63,7 +63,7 @@ public function setUp(): void {
 
 		// Set skipped users option
 		update_option( Highlight_MFA_Users::MFA_SKIP_USER_IDS_OPTION_KEY, [ $this->admin_user_mfa_skipped_id ] );
-
+		wp_set_current_user( $this->admin_user_mfa_enabled_id );
 		Highlight_MFA_Users::init();
 	}
 
@@ -85,7 +85,7 @@ public function tearDown(): void {
 		$_GET                      = $this->original_get;
 		$GLOBALS['current_screen'] = $this->original_current_screen;
 		unset( $GLOBALS['current_screen'] ); // Ensure it's fully removed if it wasn't set before
-
+		wp_set_current_user( 0 );
 		parent::tearDown();
 	}
 
@@ -195,6 +195,25 @@ public function test_filter_users_by_mfa_status_does_nothing_on_wrong_page() {
 		unset( $_GET['filter_mfa_disabled'] );
 	}
 
+
+	/**
+	 * Test that the admin notice is displayed correctly when MFA-disabled admins exist.
+	 */
+	public function test_display_mfa_disabled_notice_does_not_show_when_not_admin() {
+		$this->set_admin_screen_users();
+		// Set a non-admin user
+		wp_set_current_user( $this->editor_user_id );
+
+		ob_start();
+		Highlight_MFA_Users::display_mfa_disabled_notice();
+		$output = ob_get_clean();
+
+		$this->assertEquals( '', $output );
+
+		// Reset current user
+		wp_set_current_user( 0 );
+	}
+
 	/**
 	 * Test that the admin notice is displayed correctly when MFA-disabled admins exist.
 	 */