Skip to:
Content
Pages
Categories
Search
Top
Bottom

blocking a user does nothing


  • Ben L.
    Member

    @nightgunner5

    Right under the place roles are changed is the text:

    Inactive users can login and look around but not do anything. Blocked users just see a simple error message when they visit the site.

    However, when I made a test account and marked it as blocked, I could still log in with the account and there was no error message.

    Why is this a problem and how can I fix this?

    P.S. I tried this on a test install of trunk and a test install of 0.9.0.2, both gave the same result.

    Edit: I just found out that blocking breaks passwords reversably, and only gives an error message if the user is already logged in.

Viewing 4 replies - 1 through 4 (of 4 total)

  • chrishajer
    Participant

    @chrishajer

    I confirmed this as well. I created a new member, logged out, logged in as admin, marked new member blocked, logged out, logged in as new member, everything appears fine. In the admin panel, the user is marked as blocked.

    So, what *is* supposed to happen when a blocked member tries to log in?

    I noticed that the blocked member cannot edit their profile: there’s just one tab there: Profile.


    _ck_
    Participant

    @_ck_

    Block may never have worked like one would think.

    I think it just treats them like “bozo” status.

    It gives them the capability of “not_play_nice” = true

    hmm actually…

    function bb_block_current_user() {
    global $bbdb;
    if ( $id = bb_get_current_user_info( 'id' ) )
    bb_update_usermeta( $id, $bbdb->prefix . 'been_blocked', 1 ); // Just for logging.
    bb_die(__("You've been blocked. If you think a mistake has been made, contact this site's administrator."));
    }

    function bb_reset_password( $key ) {
    global $bbdb;
    $key = sanitize_user( $key );
    if ( empty( $key ) )
    bb_die(__('Key not found.'));
    if ( !$user_id = $bbdb->get_var( $bbdb->prepare( "SELECT user_id FROM $bbdb->usermeta WHERE meta_key = 'newpwdkey' AND meta_value = %s", $key ) ) )
    bb_die(__('Key not found.'));
    if ( $user = new BB_User( $user_id ) ) :
    if ( bb_has_broken_pass( $user->ID ) )
    bb_block_current_user();
    if ( !$user->has_cap( 'change_user_password', $user->ID ) )
    bb_die( __('You are not allowed to change your password.') );

    .

    According to all that, their password should be scrambled and they should be unable to reset it – so they can’t log in.

    But you can’t stop them from seeing the website.

    There’s no IP based blocking (yet) in bbPress.

    To really block an IP, you’d have to go into htaccess and add a “deny from” – at least for now.

    I guess someone could write a plugin to block the IP of blocked users, perhaps for 48 hours or so. Since bbPress doesn’t store the last login IP for users by default, this makes it difficult, the plugin would have to start storing IPs on every login.


    _ck_
    Participant

    @_ck_

    Oh wait, here’s the broken part in bb-settings.php

    do_action('bb_init', '');

    if ( bb_is_user_logged_in() && bb_has_broken_pass() )
    bb_block_current_user();

    I don’t see how a user could both be logged in AND have a broken password. If their password is broken, they can’t login.

    This might have broken during the radical password/cookie changes in >0.8

    I opened a TRAC ticket

    https://trac.bbpress.org/ticket/899


    Ben L.
    Member

    @nightgunner5

    I don't see how a user could both be logged in AND have a broken password. If their password is broken, they can't login.

    Maybe they were still logged in while they got blocked.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.
Skip to toolbar