Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Profile settings section rendered regardless of whether any providers are enabled #662

Open
Player701 opened this issue Jan 15, 2025 · 2 comments
Open

Profile settings section rendered regardless of whether any providers are enabled #662

Player701 opened this issue Jan 15, 2025 · 2 comments

Comments

@Player701
Copy link

Describe the bug

If there are no two-factor providers enabled, the corresponding profile section is still rendered on the user settings page. This creates a visual inconsistency in scenarios where two-factor authentication needs to be disabled for a specific user or group of users.

Expected behavior: Users should not see the two-factor section in their profile settings if there are no providers currently available.

Actual behavior: Users always see the two-factor section in their profile settings even if there are no providers currently available. (See screenshot)

Steps to Reproduce

This filter will disable all providers:

add_filter(
    'two_factor_providers',
    function ( $providers ) {
        return [];
    },
    9999
);

Of course this code is for demonstration purposes only. Actual code would likely use two_factor_enabled_providers_for_user and perform some check on the user ID first. The result, however, is the same.

Screenshots, screen recording, code snippet

Image

Environment information

WordPress 6.7.1, plugin version 0.11.0

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes
@jeffpaul
Copy link
Member

@Player701 in what scenario would no providers be enabled and the plugin activated?

@Player701
Copy link
Author

@Player701 in what scenario would no providers be enabled and the plugin activated?

An example scenario would be to restrict the usage of two-factor authentication to admins, or another specific group of users.

If you want to know about my particular use case:

I have only a few users on my website, but they are not power-users, and the two-factor settings are simply too confusing to them. Most of them don't even know what "two-factor" is... Additionally, all of those users browse on mobile devices, but the layout of the two-factor settings is currently partially broken on mobile and also takes up a lot of screen space.

So, believe it or not - this has actually resulted in one of the users complaining to me about their profile not updating! It turned out they somehow couldn't find the submit button at the very bottom because of all that clutter added by the plugin. Don't ask me how, it just happened...

Therefore, I've been considering to disable these settings for normal users entirely, especially taking into account that my site does not handle any security-sensitive data (e.g. payment cards and such). However, as an admin who has full management access, I still want to keep using the plugin myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeffpaul @Player701