I confirmed this as well. I created a new member, logged out, logged in as admin, marked new member blocked, logged out, logged in as new member, everything appears fine. In the admin panel, the user is marked as blocked.
So, what *is* supposed to happen when a blocked member tries to log in?
I noticed that the blocked member cannot edit their profile: there’s just one tab there: Profile.
Block may never have worked like one would think.
I think it just treats them like “bozo” status.
It gives them the capability of “not_play_nice” = true
hmm actually…
function bb_block_current_user() {
global $bbdb;
if ( $id = bb_get_current_user_info( 'id' ) )
bb_update_usermeta( $id, $bbdb->prefix . 'been_blocked', 1 ); // Just for logging.
bb_die(__("You've been blocked. If you think a mistake has been made, contact this site's administrator."));
}
function bb_reset_password( $key ) {
global $bbdb;
$key = sanitize_user( $key );
if ( empty( $key ) )
bb_die(__('Key not found.'));
if ( !$user_id = $bbdb->get_var( $bbdb->prepare( "SELECT user_id FROM $bbdb->usermeta WHERE meta_key = 'newpwdkey' AND meta_value = %s", $key ) ) )
bb_die(__('Key not found.'));
if ( $user = new BB_User( $user_id ) ) :
if ( bb_has_broken_pass( $user->ID ) )
bb_block_current_user();
if ( !$user->has_cap( 'change_user_password', $user->ID ) )
bb_die( __('You are not allowed to change your password.') );
.
According to all that, their password should be scrambled and they should be unable to reset it – so they can’t log in.
But you can’t stop them from seeing the website.
There’s no IP based blocking (yet) in bbPress.
To really block an IP, you’d have to go into htaccess and add a “deny from” – at least for now.
I guess someone could write a plugin to block the IP of blocked users, perhaps for 48 hours or so. Since bbPress doesn’t store the last login IP for users by default, this makes it difficult, the plugin would have to start storing IPs on every login.
Oh wait, here’s the broken part in bb-settings.php
do_action('bb_init', '');
if ( bb_is_user_logged_in() && bb_has_broken_pass() )
bb_block_current_user();
I don’t see how a user could both be logged in AND have a broken password. If their password is broken, they can’t login.
This might have broken during the radical password/cookie changes in >0.8
I opened a TRAC ticket
https://trac.bbpress.org/ticket/899
I don't see how a user could both be logged in AND have a broken password. If their password is broken, they can't login.
Maybe they were still logged in while they got blocked.