Allow enforcing 2fa for super adminns

class.two-factor-force.php

@@ -280,7 +280,12 @@ public static function is_two_factor_forced( $user_id ) {
 
 		// Check whether a user is in a user role that requires two-factor authentication.
 		$two_factor_forced_roles = self::get_forced_user_roles();
-		$required_roles          = array_filter( $user->roles, function( $role ) use ( $two_factor_forced_roles ) {
+		$user_roles              = $user->roles;
+		if ( is_super_admin( $user->ID ) ) {
+			array_push( $user_roles, 'super-admin' );
+		}
+
+		$required_roles          = array_filter( $user_roles, function( $role ) use ( $two_factor_forced_roles ) {
 			return in_array( $role, $two_factor_forced_roles, true );
 		}, ARRAY_FILTER_USE_BOTH );
 
@@ -373,12 +378,13 @@ public static function global_force_2fa_field() {
 	public static function global_force_2fa_by_role_field() {
 		$forced_roles          = self::get_forced_user_roles();
 		$is_universally_forced = self::get_universally_forced_option();
+		$roles                 = array_merge( [ 'super-admin' => [ 'name' => __( 'Super Admin' ) ] ], get_editable_roles() );
 
 		?>
 		<input type="hidden" name="<?php echo esc_attr( sprintf( '%s[%s]', self::FORCED_ROLES_META_KEY, 'no-role-selected' ) ); ?>" />
 		<?php
 
-		foreach ( get_editable_roles() as $slug => $role ) :
+		foreach ( $roles as $slug => $role ) :
 			?>
 			<label>
 				<input type='checkbox' name="<?php echo esc_attr( sprintf( '%s[%s]', self::FORCED_ROLES_META_KEY, $slug ) ); ?>" value="1" <?php checked( in_array( $slug, $forced_roles, true ) ); ?> <?php echo ( $is_universally_forced ) ? 'readonly' : ''; ?> />

tests/class.two-factor-force.php

@@ -12,7 +12,7 @@ class Test_ClassTwoFactorForce extends WP_UnitTestCase {
 	 */
 	public function test_add_hooks() {
 		Two_Factor_Force::add_hooks();
-		
+
 		$this->assertGreaterThan(
 			0,
 			has_action(
@@ -170,6 +170,23 @@ public function test_is_two_factor_forced_captured_role() {
 		$this->assertTrue( Two_Factor_Force::is_two_factor_forced( $user->ID ) );
 	}
 
+	/**
+	 * @covers Two_Factor_Force::is_two_factor_forced
+	 */
+	public function test_is_two_factor_forced_super_admin() {
+		// Set role-based value to editors and adminstrators.
+		update_site_option( Two_Factor_Force::FORCED_ROLES_META_KEY, [ 'super-admin' ] );
+
+		$user = new WP_User( $this->factory->user->create( [ 'role' => 'administrator' ] ) );
+		wp_set_current_user( $user->ID );
+		// Make the user super admin
+		add_filter( 'pre_site_option_site_admins', function() use ( $user ) {
+			return [ $user->user_login ];
+		} );
+
+		$this->assertTrue( Two_Factor_Force::is_two_factor_forced( $user->ID ) );
+	}
+
 	/**
 	 * @covers Two_Factor_Force::get_universally_forced_option
 	 */
@@ -185,8 +202,8 @@ public function test_get_universally_forced_option_multisite() {
 	 */
 	public function test_get_forced_user_roles_multisite() {
 		// Set role-based value to editors and adminstrators.
-		update_site_option( Two_Factor_Force::FORCED_ROLES_META_KEY, [ 'author', 'editor', 'administrator' ] );
+		update_site_option( Two_Factor_Force::FORCED_ROLES_META_KEY, [ 'author', 'editor', 'administrator', 'super-admin' ] );
 
-		$this->assertEquals( [ 'author', 'editor', 'administrator' ], Two_Factor_Force::get_forced_user_roles() );
+		$this->assertEquals( [ 'author', 'editor', 'administrator', 'super-admin' ], Two_Factor_Force::get_forced_user_roles() );
 	}
 }