Closed iandunn closed 9 months ago
🤔 There shouldn't be any ways for a malicious user to pass arbitrary values. This function isn't called by anything in Two Factor right now, it only exists to make things easier for plugins.
The companion function is used in Two Factor, but in all of those cases it's called from a REST API handler, which have permission_callback
functions defined (example).
I added a comment in e84e061 for clarity.
What?
Adds a
Two_Factor_Core::disable_provider_for_user()
method.Why?
This provides parity with the
Two_Factor_Core::enable_provider_for_user()
method. It's not currently used by Two Factor itself, but it allows plugins to disable an individual provider directly, rather than having to know the internals and update meta keys, etc.One example use case for that is https://github.com/WordPress/wporg-two-factor/pull/223#pullrequestreview-1570860929, where a custom front-end UI was developed in React, using REST API endpoints.
Fixes #585
Testing Instructions
wp-admin/profile.php
and saveprofile.php
and see that the provider has been disabled. If another provider was enabled, it should now be set as the primary provider.Changelog Entry