[Ben L.]

Right under the place roles are changed is the text:

Inactive users can login and look around but not do anything. Blocked users just see a simple error message when they visit the site.

However, when I made a test account and marked it as blocked, I could still log in with the account and there was no error message.

Why is this a problem and how can I fix this?

P.S. I tried this on a test install of trunk and a test install of 0.9.0.2, both gave the same result.

Edit: I just found out that blocking breaks passwords reversably, and only gives an error message if the user is already logged in.

[chrishajer]

I confirmed this as well. I created a new member, logged out, logged in as admin, marked new member blocked, logged out, logged in as new member, everything appears fine. In the admin panel, the user is marked as blocked.

So, what *is* supposed to happen when a blocked member tries to log in?

I noticed that the blocked member cannot edit their profile: there’s just one tab there: Profile.

[_ck_]

Block may never have worked like one would think.

I think it just treats them like “bozo” status.

It gives them the capability of “not_play_nice” = true

hmm actually…

function bb_block_current_user() {

global $bbdb;

if ( $id = bb_get_current_user_info( 'id' ) )

bb_update_usermeta( $id, $bbdb->prefix . 'been_blocked', 1 ); // Just for logging.

bb_die(__("You've been blocked.  If you think a mistake has been made, contact this site's administrator."));

}

function bb_reset_password( $key ) {

global $bbdb;

$key = sanitize_user( $key );

if ( empty( $key ) )

bb_die(__('Key not found.'));

if ( !$user_id = $bbdb->get_var( $bbdb->prepare( "SELECT user_id FROM $bbdb->usermeta WHERE meta_key = 'newpwdkey' AND meta_value = %s", $key ) ) )

bb_die(__('Key not found.'));

if ( $user = new BB_User( $user_id ) ) :

if ( bb_has_broken_pass( $user->ID ) )

bb_block_current_user();

if ( !$user->has_cap( 'change_user_password', $user->ID ) )

bb_die( __('You are not allowed to change your password.') );

.

According to all that, their password should be scrambled and they should be unable to reset it – so they can’t log in.

But you can’t stop them from seeing the website.

There’s no IP based blocking (yet) in bbPress.

To really block an IP, you’d have to go into htaccess and add a “deny from” – at least for now.

I guess someone could write a plugin to block the IP of blocked users, perhaps for 48 hours or so. Since bbPress doesn’t store the last login IP for users by default, this makes it difficult, the plugin would have to start storing IPs on every login.

[_ck_]

Oh wait, here’s the broken part in bb-settings.php

do_action('bb_init', '');



if ( bb_is_user_logged_in() && bb_has_broken_pass() )

bb_block_current_user();

I don’t see how a user could both be logged in AND have a broken password. If their password is broken, they can’t login.

This might have broken during the radical password/cookie changes in >0.8

I opened a TRAC ticket

https://trac.bbpress.org/ticket/899

[Ben L.]

I don't see how a user could both be logged in AND have a broken password. If their password is broken, they can't login.

Maybe they were still logged in while they got blocked.