Opened 11 years ago
Closed 9 years ago
#24617 closed defect (bug) (fixed)
Spammed users should not be able to reset their password
Reported by: | r-a-y | Owned by: | jeremyfelt |
---|---|---|---|
Milestone: | 4.6 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Users | Keywords: | good-first-bug has-patch |
Focuses: | multisite | Cc: |
Description
In multisite, if an admin has marked a user as spam, the spammed user can still attempt to reset their password.
Even though spammed users cannot login, we shouldn't be able to let spammers to reset their password.
Attached patch addresses this.
Attachments (5)
Change History (21)
#2
@
11 years ago
- Component changed from Users to Multisite
- Version changed from 2.3.3 to 3.0
This should be a distinct spammer_account
error code, rather than invalid_username
(see #19445).
#3
@
11 years ago
Right, nice catch, SergeyBiryukov.
I was working off the 3.5-branch instead of trunk.
#4
@
11 years ago
A generic error message might be more desirable here. Eg. "Your account has been disabled".
#7
@
9 years ago
- Keywords good-first-bug needs-patch added; has-patch needs-refresh removed
- Milestone changed from Awaiting Review to 4.6
24617.01.patch is a good starting patch, agreed on the change in error messaging. Also, I'd go with spam account
and marked as spam
vs spammer
in the docs.
#10
@
9 years ago
- Owner set to websupporter
- Status changed from new to assigned
Thanks @websupporter, 24617.03.patch is looking good. Let's change the error text to something more generic so that we're not necessarily passing that info on to the user. The suggested "Your account has been disabled" from above seems right. Thoughts?
#11
follow-up:
↓ 12
@
9 years ago
Hi @jeremyfelt, if we just put $allow
to false, we retun Password reset is not allowed for this user
as the standard not allowed. Or we go with an extra message disabled
where we might be able to keep the error code for some purposes specific.
I would opt for $allow
false
since its the most generic we have.
#12
in reply to:
↑ 11
@
9 years ago
Replying to websupporter:
if we just put
$allow
to false, we retunPassword reset is not allowed for this user
as the standard not allowed.
Ahh, +1 for this then. I think keeping it generic and using the same messaging as other possible reasons makes sense.
This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.
9 years ago
This ticket was mentioned in Slack in #core-multisite by websupporter. View the logs.
9 years ago
#15
@
9 years ago
- Keywords has-unit-tests removed
- Owner changed from websupporter to jeremyfelt
- Status changed from assigned to reviewing
This is looking good. I'm going to go with the multisite/spammy check here and leave the changes to the allow_password_reset
filter for another ticket/discussion. We haven't needed to pass the full user object before. If anyone would like to extend that filter, please open another ticket.
Disregard the wrong ticket number for the patch!
Forgot to write that the patch also passes the
$user_data
object to the'allow_password_reset'
filter so plugin devs can use the already-queried $user_data object to do their checks in order to disable password resetting.