From d2ec1c6f1558658a3e5418ea55496989af7e4a8b Mon Sep 17 00:00:00 2001
From: Augusto Bennemann <augusto@augusto.dev>
Date: Wed, 7 May 2025 12:14:54 -0300
Subject: [PATCH 1/2] Add filter for
 rest_api_can_edit_user_and_update_two_factor_options

---
 class-two-factor-core.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 56d6e4bc..4b7c3bcb 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1349,7 +1349,7 @@ public static function rest_api_can_edit_user_and_update_two_factor_options( $us
 			return new WP_Error( 'revalidation_required', __( 'Two Factor Revalidation required.', 'two-factor' ) );
 		}
 
-		return true;
+		return apply_filters( 'two_factor_rest_api_can_edit_user', true, $user_id );
 	}
 
 	/**

From 142d76913ce0729a0ef80f55f64ff6e13617dc55 Mon Sep 17 00:00:00 2001
From: Augusto Bennemann <augusto@augusto.dev>
Date: Wed, 10 Dec 2025 11:09:19 -0300
Subject: [PATCH 2/2] Readme: document new filter

---
 readme.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/readme.txt b/readme.txt
index 8143c1c4..c61fce32 100644
--- a/readme.txt
+++ b/readme.txt
@@ -30,7 +30,8 @@ Here is a list of action and filter hooks provided by the plugin:
 - `two_factor_user_authenticated` action which receives the logged in `WP_User` object as the first argument for determining the logged in user right after the authentication workflow.
 - `two_factor_email_token_ttl` filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the `WP_User` object being authenticated.
 - `two_factor_email_token_length` filter overrides the default 8 character count for email tokens.
-- `two_factor_backup_code_length` filter overrides the default 8 character count for backup codes. Providers the `WP_User` of the associated user as the second argument.
+- `two_factor_backup_code_length` filter overrides the default 8 character count for backup codes. Provides the `WP_User` of the associated user as the second argument.
+- `two_factor_rest_api_can_edit_user` filter overrides whether a user’s Two-Factor settings can be edited via the REST API. First argument is the current `$can_edit` boolean, the second argument is the user ID.
 
 == Frequently Asked Questions ==