-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable 2FA by default #1213
Enable 2FA by default #1213
Conversation
We should just need Automattic/jetpack#12029 to make this all work. |
Instead of the previous Jetpack PR, we need WordPress/two-factor#276 / #1214 |
I'm thinking we get this deployed with Then we announce via the lobby that you can filter that now to force 2FA for any users you want and starting some time in the future (maybe 1 month from now?) we will default it for all users that can edit posts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spotted a couple of minor things.
We'll want to test this out with the following scenarios:
|
The only caps a restricted user needs are `read` and `edit_user` (only for theirself).
Co-Authored-By: joshbetz <[email protected]>
a831d3b
to
8bfe566
Compare
If we call current_user_can inside map_map_cap, we create a callback loop. By calling it outside, we avoid that issue.
Before this date, we just output an admin notice to users that will need to enable 2FA. The logic to display the date got a little complex, but ensuring the notice is in their local timezone is worth it. After the date specified, the admin notice switches to say 2FA is required and only the most basic functions are available. This is a date that's a month from now in the middle-ish of the day in the middle of the week (so plenty of support will be around in case there are questions).
In 1f8dc49 we time gate forcing for everyone with |
Whatever date we decide, we should set up a couple Slack reminders :) |
This allows clients to override the time gate and force two factor at any time. Previously two factor could only be force enabled after the date specified.
If the timezone string is not set, use UTC as a backup.
Tested variations sites that are manually loading
Also, sites that load another copy of I didn't experience any issues. The sites I tested on a sandbox transparently switched to our version of |
Also tested sites with jetpack-force-2fa enabled, the require two-step setting in Jetpack, and both at the same time. |
@mjangda I think we should be all set here as long as we're OK with May 23 @ 1800 UTC for forcing 2FA for everyone. |
``` Notice: wp_register_script was called incorrectly. Scripts and styles should not be registered or enqueued until the wp_enqueue_scripts, admin_enqueue_scripts, or login_enqueue_scripts hooks. ```
https://codex.wordpress.org/Roles_and_Capabilities#User_Levels Co-Authored-By: joshbetz <[email protected]>
Make the message more prominent, consistent, and add more context.
Only blocker now is being able to link directly to the "Two-Factor Options". Everything else is good to go. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 🎉 🎂
To be deployed on Tuesday. |
r138198-deploy |
Enables
two-factor
by default and requires it for anyone withedit_posts
capabilities.Deploy Notes
We need to deploy a fix to two-factor that lets it work with Jetpack SSO: WordPress/two-factor#276 / #1214
Testing