PluginProbe ʕ •ᴥ•ʔ
WP 2FA – Two-factor authentication for WordPress / 2.9.0
WP 2FA – Two-factor authentication for WordPress v2.9.0
4.0.0 1.7.1 2.0.0 2.0.1 2.1.0 2.2.0 2.2.1 2.3.0 2.4.0 2.4.1 2.4.2 2.5.0 2.6.0 2.6.1 2.6.2 2.6.3 2.6.4 2.7.0 2.8.0 2.9.0 2.9.1 2.9.2 2.9.3 3.0.0 3.0.1 3.1.0 3.1.1 3.1.1.2 trunk 1.2.0 1.3.0 1.4.0 1.4.1 1.4.2 1.5.0 1.5.1 1.5.2 1.6.0 1.6.1 1.6.2 1.7.0
wp-2fa / includes / classes / Admin / SettingsPages / class-settings-page-general.php
wp-2fa / includes / classes / Admin / SettingsPages Last commit date
class-settings-page-email.php 11 months ago class-settings-page-general.php 11 months ago class-settings-page-policies.php 11 months ago class-settings-page-render.php 11 months ago class-settings-page-white-label.php 11 months ago index.php 11 months ago
class-settings-page-general.php
332 lines
1 <?php
2 /**
3 * Generals settings class.
4 *
5 * @package wp2fa
6 * @subpackage settings-pages
7 *
8 * @copyright 2025 Melapress
9 * @license https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
10 *
11 * @see https://wordpress.org/plugins/wp-2fa/
12 */
13
14 namespace WP2FA\Admin\SettingsPages;
15
16 use WP2FA\Utils\Debugging;
17 use WP2FA\Utils\Settings_Utils;
18 use WP2FA\WP2FA;
19
20 /*
21 * General settings tab
22 */
23 if ( ! class_exists( '\WP2FA\Admin\SettingsPages\Settings_Page_General' ) ) {
24 /**
25 * Settings_Page_General - Class for handling general settings.
26 *
27 * @since 2.0.0
28 */
29 class Settings_Page_General {
30 /**
31 * Renders the settings.
32 *
33 * @return void
34 *
35 * @since 2.0.0
36 */
37 public static function render() {
38 if ( ! current_user_can( 'manage_options' ) ) {
39 return;
40 }
41 settings_fields( WP_2FA_SETTINGS_NAME );
42 self::no_method_exists();
43 self::disable_brute_force_settings();
44 self::limit_settings_access();
45 self::remove_data_upon_uninstall();
46 submit_button( null, 'primary', WP_2FA_SETTINGS_NAME . '[submit]' );
47 }
48
49 /**
50 * Validate options before saving.
51 *
52 * @param array $input The settings array.
53 *
54 * @return array|void
55 *
56 * @since 3.0.0
57 */
58 public static function validate_and_sanitize( $input ) {
59 // Bail if user doesn't have permissions to be here.
60 if ( ! current_user_can( 'manage_options' ) || ! isset( $_POST['action'] ) && ! check_admin_referer( 'wp2fa-step-choose-method' ) ) {
61 return;
62 }
63
64 Debugging::log( 'The following settings will be processed (General): ' . "\n" . wp_json_encode( $input ) );
65
66 $simple_settings_we_can_loop = array(
67 'enable_destroy_session',
68 'limit_access',
69 'brute_force_disable',
70 'delete_data_upon_uninstall',
71 'method_invalid_setting',
72 );
73
74 /**
75 * Gives the ability to change the default general settings.
76 *
77 * @param array $general_settings - The array with the default settings.
78 *
79 * @since 2.0.0
80 */
81 $simple_settings_we_can_loop = \apply_filters( WP_2FA_PREFIX . 'loop_general_settings', $simple_settings_we_can_loop );
82
83 $settings_to_turn_into_bools = array(
84 'enable_destroy_session',
85 'limit_access',
86 'brute_force_disable',
87 'delete_data_upon_uninstall',
88 );
89
90 foreach ( $simple_settings_we_can_loop as $simple_setting ) {
91 if ( ! in_array( $simple_setting, $settings_to_turn_into_bools, true ) ) {
92 // Is item is not one of our possible settings we want to turn into a bool, process.
93 $output[ $simple_setting ] = ( isset( $input[ $simple_setting ] ) && ! empty( $input[ $simple_setting ] ) ) ? trim( (string) sanitize_text_field( $input[ $simple_setting ] ) ) : false;
94 } else {
95 // This item is one we treat as a bool, so process correctly.
96 $output[ $simple_setting ] = ( isset( $input[ $simple_setting ] ) && ! empty( $input[ $simple_setting ] ) ) ? true : false;
97 }
98 }
99
100 if ( isset( $input['2fa_settings_last_updated_by'] ) && ! empty( $input['2fa_settings_last_updated_by'] ) ) {
101 $policies = WP2FA::get_wp2fa_setting();
102 if ( false === $policies ) {
103 $policies = WP2FA::get_default_settings();
104 }
105 $policies['2fa_settings_last_updated_by'] = (int) get_current_user_id();
106
107 WP2FA::update_plugin_settings( $policies );
108 }
109
110 // Remove duplicates from settings errors. We do this as this sanitization callback is actually fired twice, so we end up with duplicates when saving the settings for the FIRST TIME only. The issue is not present once the settings are in the DB as the sanitization wont fire again. For details on this core issue - https://core.trac.wordpress.org/ticket/21989.
111 global $wp_settings_errors;
112 if ( isset( $wp_settings_errors ) ) {
113 $errors = array_map( 'unserialize', array_unique( array_map( 'serialize', $wp_settings_errors ) ) );
114 $wp_settings_errors = $errors; // phpcs:ignore
115 }
116
117 /**
118 * Filter the values we are about to store in the plugin settings.
119 *
120 * @param array $output - The output array with all the data we will store in the settings.
121 * @param array $input - The input array with all the data we received from the user.
122 *
123 * @since 2.0.0
124 */
125 $output = \apply_filters( WP_2FA_PREFIX . 'filter_output_content_general_settings', $output, $input );
126
127 // We have overridden any defaults by now so can clear this.
128 Settings_Utils::delete_option( WP_2FA_PREFIX . 'default_settings_applied' );
129
130 Debugging::log( 'The following settings are being saved (General): ' . "\n" . wp_json_encode( $output ) );
131
132 return $output;
133 }
134
135 /**
136 * Updates global settings network options.
137 *
138 * @return void
139 *
140 * @since 2.9.0
141 */
142 public static function update_wp2fa_network_options() {
143 if ( ! \current_user_can( 'manage_options' ) ) {
144 \wp_die( \esc_html__( 'You do not have sufficient permissions to access this page.', 'wp-2fa' ) );
145 }
146
147 if ( isset( $_POST[ WP_2FA_SETTINGS_NAME ] ) ) {
148 check_admin_referer( 'wp_2fa_settings-options' );
149 $options = self::validate_and_sanitize( wp_unslash( $_POST[ WP_2FA_SETTINGS_NAME ] ) );
150 $settings_errors = get_settings_errors( WP_2FA_SETTINGS_NAME );
151 if ( ! empty( $settings_errors ) ) {
152 // redirect back to our options page.
153 wp_safe_redirect(
154 add_query_arg(
155 array(
156 'page' => 'wp-2fa-settings',
157 'wp_2fa_network_settings_error' => urlencode_deep( $settings_errors[0]['message'] ),
158 ),
159 network_admin_url( 'settings.php' )
160 )
161 );
162 exit;
163 }
164 WP2FA::update_plugin_settings( $options, false, WP_2FA_SETTINGS_NAME );
165
166 // redirect back to our options page.
167 wp_safe_redirect(
168 add_query_arg(
169 array(
170 'page' => 'wp-2fa-settings',
171 'tab' => 'generic-settings',
172 'wp_2fa_network_settings_updated' => 'true',
173 ),
174 network_admin_url( 'admin.php' )
175 )
176 );
177 exit;
178 }
179 }
180
181 /**
182 * Limit settings setting.
183 *
184 * @return void
185 *
186 * @since 2.0.0
187 */
188 private static function remove_data_upon_uninstall() {
189 ?>
190 <div class="danger-zone-wrapper">
191 <h3><?php \esc_html_e( 'Do you want to delete the plugin data from the database upon uninstall', 'wp-2fa' ); ?></h3>
192 <p class="description">
193 <?php \esc_html_e( 'The plugin saves its settings in the WordPress database. By default the plugin settings are kept in the database so if it is installed again, you do not have to reconfigure the plugin. Enable this setting to delete the plugin settings from the database upon uninstall.', 'wp-2fa' ); ?>
194 </p>
195 <table class="form-table">
196 <tbody>
197 <tr>
198 <th><label for="delete_data"><?php \esc_html_e( 'Delete data', 'wp-2fa' ); ?></label></th>
199 <td>
200 <fieldset>
201 <input type="checkbox" id="delete_data" name="wp_2fa_settings[delete_data_upon_uninstall]" value="delete_data_upon_uninstall"
202 <?php checked( 1, WP2FA::get_wp2fa_general_setting( 'delete_data_upon_uninstall' ), true ); ?>
203 >
204 <?php \esc_html_e( 'Delete data upon uninstall', 'wp-2fa' ); ?>
205 </fieldset>
206 </td>
207 </tr>
208 </tbody>
209 </table>
210 </div>
211 <?php
212 $last_user_to_update_settings = get_current_user_id();
213 ?>
214 <input type="hidden" id="2fa_main_user" name="wp_2fa_settings[2fa_settings_last_updated_by]" value="<?php echo \esc_attr( $last_user_to_update_settings ); ?>">
215 <?php
216 }
217
218 /**
219 * Limit settings access.
220 *
221 * @return void
222 *
223 * @since 2.0.0
224 */
225 private static function limit_settings_access() {
226 ?>
227 <br>
228 <h3><?php \esc_html_e( 'Limit 2FA settings access', 'wp-2fa' ); ?></h3>
229 <p class="description">
230 <?php \esc_html_e( 'Use this setting to hide this plugin configuration area from all other admins.', 'wp-2fa' ); ?>
231 </p>
232 <table class="form-table">
233 <tbody>
234 <tr>
235 <th><label for="limit_access"><?php \esc_html_e( 'Limit access to 2FA settings', 'wp-2fa' ); ?></label></th>
236 <td>
237 <fieldset>
238 <input type="checkbox" id="limit_access" name="wp_2fa_settings[limit_access]" value="limit_access"
239 <?php checked( 1, WP2FA::get_wp2fa_general_setting( 'limit_access' ), true ); ?>
240 >
241 <?php \esc_html_e( 'Hide settings from other administrators', 'wp-2fa' ); ?>
242 </fieldset>
243 </td>
244 </tr>
245 </tbody>
246 </table>
247 <?php
248 }
249
250 /**
251 * Disable brute force protection setting.
252 *
253 * @return void
254 *
255 * @since 2.5.0
256 */
257 private static function disable_brute_force_settings() {
258 ?>
259 <br>
260 <h3><?php \esc_html_e( 'Disable 2FA code brute force protection', 'wp-2fa' ); ?></h3>
261 <p class="description">
262 <?php \esc_html_e( 'When using email and SMS 2FA, the plugin sends the users a new one-time code whenever they enter the wrong code when logging in. This is a security enhancement, a sort of brute force protection. You can disable this feature from the below setting, however, it is not recommended.', 'wp-2fa' ); ?>
263 </p>
264 <table class="form-table">
265 <tbody>
266 <tr>
267 <th><label for="brute_force_disable"><?php \esc_html_e( 'Disable one-time code brute force protection', 'wp-2fa' ); ?></label></th>
268 <td>
269 <fieldset>
270 <input type="checkbox" id="brute_force_disable" name="wp_2fa_settings[brute_force_disable]" value="brute_force_disable"
271 <?php checked( 1, WP2FA::get_wp2fa_general_setting( 'brute_force_disable' ), true ); ?>
272 >
273 </fieldset>
274 </td>
275 </tr>
276 </tbody>
277 </table>
278 <?php
279 }
280
281 /**
282 * Rendering settings when there are no methods.
283 *
284 * @return void
285 *
286 * @since 2.2.0
287 */
288 private static function no_method_exists() {
289 ?>
290 <p class="description">
291 <?php
292 printf(
293 // translators: support email.
294 \esc_html__( 'Use this setting below to configure the properties of the two-factor authentication on your website and how users use it. If you have any questions send us an email at %1$s.', 'wp-2fa' ),
295 '<a href="mailto:support@melapress.com">support@melapress.com</a>'
296 );
297 ?>
298 </p>
299 <h3><?php \esc_html_e( 'What should the plugin do if the 2FA method used during a user login is unavailable', 'wp-2fa' ); ?></h3>
300 <p class="description">
301 <?php \esc_html_e( 'There may be cases in which the 2FA service is unavailable when a user is trying to log in. For example, the service is unreachable or there are no credits to complete the action. In this case you can configure the plugin to either block the login process, or allow the user to log in without 2FA authentication.', 'wp-2fa' ); ?>
302 </p>
303 <table class="form-table">
304 <tbody>
305 <tr>
306 <th><label for="no-methods"><?php \esc_html_e( 'Select action', 'wp-2fa' ); ?></label></th>
307 <td>
308 <fieldset class="contains-hidden-inputs" id="no-methods">
309 <label for="login_block">
310 <input type="radio" name="wp_2fa_settings[method_invalid_setting]" id="login_block" value="login_block"
311 <?php checked( WP2FA::get_wp2fa_general_setting( 'method_invalid_setting' ), 'login_block' ); ?>
312 >
313 <span><?php \esc_html_e( 'Block the login.', 'wp-2fa' ); ?></span>
314 </label>
315
316 <br/>
317 <label for="allow_login_without_method">
318 <input type="radio" name="wp_2fa_settings[method_invalid_setting]" id="allow_login_without_method" value="allow_login_without_method"
319 <?php checked( WP2FA::get_wp2fa_general_setting( 'method_invalid_setting' ), 'allow_login_without_method' ); ?>
320 data-unhide-when-checked=".custom-from-inputs">
321 <span><?php \esc_html_e( 'Allow the login without 2FA', 'wp-2fa' ); ?></span>
322 </label>
323 </fieldset>
324 </td>
325 </tr>
326 </tbody>
327 </table>
328 <?php
329 }
330 }
331 }
332