WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 4 years ago

#24617 closed defect (bug) (fixed)

Spammed users should not be able to reset their password

Reported by: r-a-y Owned by: jeremyfelt
Milestone: 4.6 Priority: normal
Severity: normal Version: 3.0
Component: Users Keywords: good-first-bug has-patch
Focuses: multisite Cc:

Description

In multisite, if an admin has marked a user as spam, the spammed user can still attempt to reset their password.

Even though spammed users cannot login, we shouldn't be able to let spammers to reset their password.

Attached patch addresses this.

Attachments (5)

24173.01.patch (947 bytes) - added by r-a-y 7 years ago.
24617.01.patch (946 bytes) - added by r-a-y 7 years ago.
24617.02.patch (1.3 KB) - added by websupporter 4 years ago.
Updates the patch and utilizes is_user_spammy()
24617.03.patch (1.2 KB) - added by websupporter 4 years ago.
Sorry for spamming myself :D, just wanted to add the spaces between if(){ correctly.
24617.04.patch (1.1 KB) - added by websupporter 4 years ago.
set $allow to false instead of a new WP_Error

Download all attachments as: .zip

Change History (21)

@r-a-y
7 years ago

#1 @r-a-y
7 years ago

Disregard the wrong ticket number for the patch!

Forgot to write that the patch also passes the $user_data object to the 'allow_password_reset' filter so plugin devs can use the already-queried $user_data object to do their checks in order to disable password resetting.

#2 @SergeyBiryukov
7 years ago

  • Component changed from Users to Multisite
  • Version changed from 2.3.3 to 3.0

This should be a distinct spammer_account error code, rather than invalid_username (see #19445).

#3 @r-a-y
7 years ago

Right, nice catch, SergeyBiryukov.

I was working off the 3.5-branch instead of trunk.

@r-a-y
7 years ago

#4 @johnbillion
7 years ago

A generic error message might be more desirable here. Eg. "Your account has been disabled".

#5 @jeremyfelt
7 years ago

  • Component changed from Multisite to Users
  • Focuses multisite added

#6 @chriscct7
5 years ago

  • Keywords needs-refresh added

Needs implementation of comment:4 and a refresh

#7 @jeremyfelt
4 years ago

  • Keywords good-first-bug needs-patch added; has-patch needs-refresh removed
  • Milestone changed from Awaiting Review to 4.6

24617.01.patch is a good starting patch, agreed on the change in error messaging. Also, I'd go with spam account and marked as spam vs spammer in the docs.

@websupporter
4 years ago

Updates the patch and utilizes is_user_spammy()

@websupporter
4 years ago

Sorry for spamming myself :D, just wanted to add the spaces between if(){ correctly.

#8 @websupporter
4 years ago

  • Keywords has-patch added; needs-patch removed

#9 @websupporter
4 years ago

  • Keywords has-unit-tests added

#10 @jeremyfelt
4 years ago

  • Owner set to websupporter
  • Status changed from new to assigned

Thanks @websupporter, 24617.03.patch is looking good. Let's change the error text to something more generic so that we're not necessarily passing that info on to the user. The suggested "Your account has been disabled" from above seems right. Thoughts?

#11 follow-up: @websupporter
4 years ago

Hi @jeremyfelt, if we just put $allow to false, we retun Password reset is not allowed for this user as the standard not allowed. Or we go with an extra message disabled where we might be able to keep the error code for some purposes specific.

Version 0, edited 4 years ago by websupporter (next)

#12 in reply to: ↑ 11 @jeremyfelt
4 years ago

Replying to websupporter:

if we just put $allow to false, we retun Password reset is not allowed for this user as the standard not allowed.

Ahh, +1 for this then. I think keeping it generic and using the same messaging as other possible reasons makes sense.

@websupporter
4 years ago

set $allow to false instead of a new WP_Error

This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.


4 years ago

This ticket was mentioned in Slack in #core-multisite by websupporter. View the logs.


4 years ago

#15 @jeremyfelt
4 years ago

  • Keywords has-unit-tests removed
  • Owner changed from websupporter to jeremyfelt
  • Status changed from assigned to reviewing

This is looking good. I'm going to go with the multisite/spammy check here and leave the changes to the allow_password_reset filter for another ticket/discussion. We haven't needed to pass the full user object before. If anyone would like to extend that filter, please open another ticket.

#16 @jeremyfelt
4 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 37317:

Users: Prevent spammy users from resetting their passwords in multisite

Props r-a-y, websupporter.
Fixes #24617.

Note: See TracTickets for help on using tickets.