Open kaitlinbolling opened 1 month ago
From what I can tell, this error is caused by an infinite loop:
wpcom_vip_enforce_two_factor_plugin()
is called when the VIP two-factor.php
plugin loads.wpcom_vip_two_factor_filter_caps()
is added as a filter to map_meta_cap
.wpcom_vip_two_factor_filter_caps()
calls wpcom_vip_is_two_factor_forced()
.wpcom_vip_is_two_factor_forced()
applies the wpcom_vip_is_two_factor_forced
filter.wpcom_vip_is_two_factor_forced
filter calls Force_Two_Factor_Authentication::filter__wpcom_vip_is_two_factor_forced()
.Force_Two_Factor_Authentication::filter__wpcom_vip_is_two_factor_forced()
calls Force_Two_Factor_Authentication::force_to_enable_2fa()
.Force_Two_Factor_Authentication::force_to_enable_2fa()
calls current_user_can()
.current_user_can()
calls map_meta_cap()
.map_meta_cap()
applies the map_meta_cap
filter, which calls wpcom_vip_two_factor_filter_caps()
again, etc.In a local development environment running Alleyvate and the VIP mu-plugins, it should be possible to recreate the infinite loop with:
add_filter( 'wpcom_vip_is_two_factor_local_testing', '__return_true' );
It might be possible to simplify the logic of the Alleyvate 2FA feature when it runs on VIP environments by switching to the wpcom_vip_two_factor_enforcement_cap
filter, i.e.:
add_filter( 'wpcom_vip_two_factor_enforcement_cap', fn () => 'edit_posts' );
However, this filter would need to be added before plugins_loaded
, which is earlier than Alleyvate currently boots features. The 2FA feature could be handled differently so that it runs earlier, but I think that might be a breaking change that would require documentation and a major version bump.
Description of the bug
On WordPress VIP, when a new user is created via WP CLI or the WordPress admin and two-factor authentication is not enabled, the user experiences a 502 nginx error when trying to log in.
Steps To Reproduce
Additional Information
No response