Skip to content

Add network-level provider settings for WordPress Multisite#915

Open
faisalahammad wants to merge 2 commits into
WordPress:masterfrom
faisalahammad:fix/894-network-provider-settings
Open

Add network-level provider settings for WordPress Multisite#915
faisalahammad wants to merge 2 commits into
WordPress:masterfrom
faisalahammad:fix/894-network-provider-settings

Conversation

@faisalahammad

@faisalahammad faisalahammad commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR adds a Network Admin settings page for Two-Factor provider configuration. When the plugin is network-activated, a Super Admin can choose which providers are available across the network and decide whether subsites may override that list. The change keeps the existing site-level settings screen intact for non-network mode or when no network policy is configured.

Fixes #894

Changes

class-two-factor-core.php

  • Added network option constants: ENABLED_PROVIDERS_NETWORK_OPTION_KEY and NETWORK_ALLOW_SITE_OVERRIDE_OPTION_KEY.
  • Extended uninstall() to delete the new network options with delete_site_option().

two-factor.php

  • Added two_factor_is_network_mode() with a two_factor_network_mode filter so the network logic can be unit-tested without a Multisite install.
  • Network settings page is registered under network_admin_menu only when the plugin is network-activated.
  • Added two_factor_get_site_enabled_providers_option() and rewrote two_factor_get_enabled_providers_option() to return the effective provider list: network option first, with subsite intersection when override is allowed.
  • Updated the provider and user-provider filters to use the effective list.

settings/class-two-factor-network-settings.php (new)

  • Network Admin settings page that saves provider list and the override toggle with nonces and capability checks.
  • Provider keys are validated against the registered providers before being saved.

settings/class-two-factor-settings.php

  • When the network has taken over provider settings:
    • Override disabled: the page is read-only, shows a network-managed notice, and hides the Save button.
    • Override enabled: shows a narrowing notice and disables checkboxes for providers not enabled at the network level.
  • When the network has not configured a policy, the page behaves as before.

tests/class-two-factor-network-settings.php (new)

  • Covers network mode detection, effective option logic, provider filtering, uninstall cleanup, and the site settings page read-only/override notices.

Testing

Test 1: Network-managed provider list

  1. Network-activate the plugin.
  2. Go to Network Admin → Settings → Two-Factor.
  3. Disable "Email Codes" and save.
  4. On a subsite, edit a user profile.
  5. Result: Email Codes is not available; TOTP and Backup Codes remain available.

Test 2: Subsite override disabled

  1. On the network settings page, leave "Allow subsites to override" unchecked.
  2. On a subsite, go to Settings → Two-Factor.
  3. Result: a notice appears, all checkboxes are disabled, and the Save button is hidden.

Test 3: Subsite override enabled

  1. On the network settings page, enable only Email and TOTP, and check "Allow subsites to override".
  2. On a subsite, go to Settings → Two-Factor.
  3. Result: Backup Codes is disabled/unchecked; the site can narrow the list to TOTP only.

Automated tests

npm run composer -- test
npm run lint:php
npm run lint:phpstan

All 203 tests pass, PHPStan reports no errors, and no new PHPCS errors are introduced in the changed files.

Open WordPress Playground Preview
- Add network options for enabled providers and subsite override toggle.
- Network Admin settings page under Settings -> Two-Factor (network-activated only).
- Apply network-wide provider list; subsites can only narrow it when override is enabled.
- Keep site-level settings as fallback when the network has not configured providers.
- Show read-only notice on subsite settings when network-managed, with disabled providers visible.
- Add tests and uninstall cleanup for the network options.

Fixes WordPress#894
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: faisalahammad <faisalahammad@git.wordpress.org>
Co-authored-by: acer2021lg <ac2021lg@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@acer2021lg

Copy link
Copy Markdown

Thanks for working on this PR. This matches the Multisite use case I described in #894.

From my perspective as a network admin, the most important behavior is that providers disabled in Network Admin should not be re-enabled by individual subsites. If “Allow subsites to override” is disabled, the network provider list should be the effective policy for all subsites. Even if subsite override is enabled, subsites should only be able to narrow the network provider list, not expand it.

I noticed two small points while looking at the implementation:

  1. In a network-activated setup, the plugin “Settings” action link appears to still point to the regular site-level settings page. Should it point to the Network Admin Two-Factor settings page instead?

  2. If a Super Admin disables all providers at the network level, the setting can be saved as an empty provider list. I’m not sure whether that is intentional, but since the impact is network-wide, maybe it would be worth adding a warning or some protection against accidental misconfiguration.

Thanks again for taking this on.

- Make plugin Settings action link network-aware: points to Network Admin
  Two-Factor settings when network-activated and user can manage_network_options.
- Add network_admin_plugin_action_links handler so the link appears on
  Network Admin > Plugins.
- Guard Network Settings save against empty provider list to prevent
  network-wide lockout; show error notice and preserve existing config.
- Add PHPUnit tests for network-aware link and empty-list rejection.

Refs WordPress#915
@faisalahammad

faisalahammad commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Hi @acer2021lg,

Thank you for the feedback. Both points are addressed:

  1. Settings action link: the link is now network-aware. In network-activated mode, it points to for users with . I also registered the handler so the link appears on the Network Admin plugins screen. Subsite admins still see the site-level settings page, which shows the read-only network-managed notice.

  2. Empty provider list: the network settings page now rejects saving an empty provider list. It shows an error notice and preserves the existing configuration, so a Super Admin cannot accidentally disable all providers across the network.

Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants