WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
02/17/2026 09:24:56 AM (4 months ago)
Author:
audrasjb
Message:

Networks and Sites: Don't automatically mark website as spam when an account is marked as spam.

This changeset does the following:

  • Explicitly add 403 to wp_die() calls for unauthorized actions
  • Introduce the network_user_spam_propagate_to_blogs filter to provide flexibility for developers to control spam status propagation
  • Use is_super_admin() checks for both "spam" and "notspam" actions to prevent unauthorized modification of network administrators
  • Refine the "notspam" logic to ensure that blog status updates are correctly scoped to the current network
  • Add related unit tests coverage

Props ignatiusjeroe, realloc, johnjamesjacoby, westonruter, mukesh27, pratiknawkar94, anukasha.
Fixes #61146.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/tests/phpunit/tests/user.php

    r61656 r61660  
    885885
    886886    /**
     887     * Helper to create a user and add them to multiple blogs.
     888     *
     889     * @param int  $num_blogs          Number of additional blogs to create and add the user to.
     890     * @param bool $include_main_site  Whether to add the user to the main site as well.
     891     * @return array Array with 'user_id' and 'blogs' (array of blog IDs).
     892     */
     893    private function create_user_with_blogs( $num_blogs = 1, $include_main_site = false ) {
     894        $user_id = self::factory()->user->create();
     895
     896        $blogs = array();
     897        if ( $include_main_site ) {
     898            add_user_to_blog( get_main_site_id(), $user_id, 'administrator' );
     899            $blogs[] = get_main_site_id();
     900        }
     901
     902        for ( $i = 0; $i < $num_blogs; $i++ ) {
     903            $blog_id = self::factory()->blog->create(
     904                array(
     905                    'site_id' => get_current_network_id(),
     906                )
     907            );
     908            add_user_to_blog( $blog_id, $user_id, 'administrator' );
     909            $blogs[] = $blog_id;
     910        }
     911
     912        return array(
     913            'user_id' => $user_id,
     914            'blogs'   => $blogs,
     915        );
     916    }
     917
     918    /**
     919     * @ticket 61146
     920     */
     921    public function test_default_do_not_propagate_network_user_spam_to_blogs_on_multisite() {
     922        if ( ! is_multisite() ) {
     923            $this->markTestSkipped( 'This test is for multisite only.' );
     924        }
     925
     926        $data    = $this->create_user_with_blogs( 2 );
     927        $user_id = $data['user_id'];
     928        $blogs   = $data['blogs'];
     929
     930        // Mark user spam in user record (this alone should not change blog spam states).
     931        $u = wp_update_user(
     932            array(
     933                'ID'   => $user_id,
     934                'spam' => '1',
     935            )
     936        );
     937        $this->assertNotWPError( $u );
     938        $user = get_userdata( $user_id );
     939        $this->assertSame( '1', $user->spam );
     940
     941        foreach ( $blogs as $blog_id ) {
     942            $this->assertNotSame( '1', get_blog_status( $blog_id, 'spam' ), "Blog {$blog_id} should not be marked spam by default." );
     943        }
     944    }
     945
     946    /**
    887947     * @ticket 28315
    888948     */
Note: See TracChangeset for help on using the changeset viewer.