From 25be2d61d75a00c2527de476d6269d7618e77b86 Mon Sep 17 00:00:00 2001
From: Shady Sharaf <shady@sharaf.me>
Date: Mon, 14 Feb 2022 17:38:18 +0200
Subject: [PATCH 1/2] Allow enforcing 2fa for super adminns

---
 class.two-factor-force.php       | 10 ++++++++--
 tests/class.two-factor-force.php | 23 ++++++++++++++++++++---
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/class.two-factor-force.php b/class.two-factor-force.php
index 88f59ed3..73eb7be6 100644
--- a/class.two-factor-force.php
+++ b/class.two-factor-force.php
@@ -280,7 +280,12 @@ public static function is_two_factor_forced( $user_id ) {
 
 		// Check whether a user is in a user role that requires two-factor authentication.
 		$two_factor_forced_roles = self::get_forced_user_roles();
-		$required_roles          = array_filter( $user->roles, function( $role ) use ( $two_factor_forced_roles ) {
+		$user_roles              = $user->roles;
+		if ( is_super_admin( $user->ID ) ) {
+			array_push( $user_roles, 'super-admin' );
+		}
+
+		$required_roles          = array_filter( $user_roles, function( $role ) use ( $two_factor_forced_roles ) {
 			return in_array( $role, $two_factor_forced_roles, true );
 		}, ARRAY_FILTER_USE_BOTH );
 
@@ -373,12 +378,13 @@ public static function global_force_2fa_field() {
 	public static function global_force_2fa_by_role_field() {
 		$forced_roles          = self::get_forced_user_roles();
 		$is_universally_forced = self::get_universally_forced_option();
+		$roles                 = array_merge( [ 'super-admin' => [ 'name' => 'Super Administrator' ] ], get_editable_roles() );
 
 		?>
 		<input type="hidden" name="<?php echo esc_attr( sprintf( '%s[%s]', self::FORCED_ROLES_META_KEY, 'no-role-selected' ) ); ?>" />
 		<?php
 
-		foreach ( get_editable_roles() as $slug => $role ) :
+		foreach ( $roles as $slug => $role ) :
 			?>
 			<label>
 				<input type='checkbox' name="<?php echo esc_attr( sprintf( '%s[%s]', self::FORCED_ROLES_META_KEY, $slug ) ); ?>" value="1" <?php checked( in_array( $slug, $forced_roles, true ) ); ?> <?php echo ( $is_universally_forced ) ? 'readonly' : ''; ?> />
diff --git a/tests/class.two-factor-force.php b/tests/class.two-factor-force.php
index bf007291..51b981d0 100644
--- a/tests/class.two-factor-force.php
+++ b/tests/class.two-factor-force.php
@@ -12,7 +12,7 @@ class Test_ClassTwoFactorForce extends WP_UnitTestCase {
 	 */
 	public function test_add_hooks() {
 		Two_Factor_Force::add_hooks();
-		
+
 		$this->assertGreaterThan(
 			0,
 			has_action(
@@ -170,6 +170,23 @@ public function test_is_two_factor_forced_captured_role() {
 		$this->assertTrue( Two_Factor_Force::is_two_factor_forced( $user->ID ) );
 	}
 
+	/**
+	 * @covers Two_Factor_Force::is_two_factor_forced
+	 */
+	public function test_is_two_factor_forced_super_admin() {
+		// Set role-based value to editors and adminstrators.
+		update_site_option( Two_Factor_Force::FORCED_ROLES_META_KEY, [ 'super-admin' ] );
+
+		$user = new WP_User( $this->factory->user->create( [ 'role' => 'administrator' ] ) );
+		wp_set_current_user( $user->ID );
+		// Make the user super admin
+		add_filter( 'pre_site_option_site_admins', function() use ( $user ) {
+			return [ $user->user_login ];
+		} );
+
+		$this->assertTrue( Two_Factor_Force::is_two_factor_forced( $user->ID ) );
+	}
+
 	/**
 	 * @covers Two_Factor_Force::get_universally_forced_option
 	 */
@@ -185,8 +202,8 @@ public function test_get_universally_forced_option_multisite() {
 	 */
 	public function test_get_forced_user_roles_multisite() {
 		// Set role-based value to editors and adminstrators.
-		update_site_option( Two_Factor_Force::FORCED_ROLES_META_KEY, [ 'author', 'editor', 'administrator' ] );
+		update_site_option( Two_Factor_Force::FORCED_ROLES_META_KEY, [ 'author', 'editor', 'administrator', 'super-admin' ] );
 
-		$this->assertEquals( [ 'author', 'editor', 'administrator' ], Two_Factor_Force::get_forced_user_roles() );
+		$this->assertEquals( [ 'author', 'editor', 'administrator', 'super-admin' ], Two_Factor_Force::get_forced_user_roles() );
 	}
 }

From e1debbf467ffd88a1f45560bb29c1ff72fb793f7 Mon Sep 17 00:00:00 2001
From: Shady Sharaf <shady@sharaf.me>
Date: Mon, 14 Feb 2022 18:17:15 +0200
Subject: [PATCH 2/2] Translate role name

---
 class.two-factor-force.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/class.two-factor-force.php b/class.two-factor-force.php
index 73eb7be6..a62547f6 100644
--- a/class.two-factor-force.php
+++ b/class.two-factor-force.php
@@ -378,7 +378,7 @@ public static function global_force_2fa_field() {
 	public static function global_force_2fa_by_role_field() {
 		$forced_roles          = self::get_forced_user_roles();
 		$is_universally_forced = self::get_universally_forced_option();
-		$roles                 = array_merge( [ 'super-admin' => [ 'name' => 'Super Administrator' ] ], get_editable_roles() );
+		$roles                 = array_merge( [ 'super-admin' => [ 'name' => __( 'Super Admin' ) ] ], get_editable_roles() );
 
 		?>
 		<input type="hidden" name="<?php echo esc_attr( sprintf( '%s[%s]', self::FORCED_ROLES_META_KEY, 'no-role-selected' ) ); ?>" />