Opened 9 years ago
Closed 9 years ago
#36546 closed defect (bug) (fixed)
user marked as spam can log in
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 4.6 | Priority: | normal |
| Severity: | normal | Version: | 3.7 |
| Component: | Login and Registration | Keywords: | has-patch has-unit-tests |
| Focuses: | multisite | Cc: |
Description
When the admin marks a user as "spam" the function wp_authenticate_spam_check() is supposed to block this user from logging in.
wp_authenticate_spam_check() utilizes is_user_spammy() to do so. This function expects the WP User Object. If it is not given, it will fall back to the currently logged in user, but - if I am not mistaken - the user is not logged in yet, so the fallback does not work.
Since we have the user object when performing the is_user_spammy-test, we can simply hand it over and the user can't login no more.
P.S.: Its the first time, I try to patch something, I hope I get everything right.
Attachments (3)
Change History (14)
#2
@
9 years ago
- Component changed from Networks and Sites to Login and Registration
- Keywords needs-unit-tests added
- Version changed from trunk to 3.7
This ticket was mentioned in Slack in #core by jeremyfelt. View the logs.
9 years ago
This ticket was mentioned in Slack in #core-multisite by websupporter. View the logs.
9 years ago
@
9 years ago
Changed the error message to a more generic Your account has been disabled and merged it together with #24617 (dont know, if this is a good practice, but since they are quite related)
This ticket was mentioned in Slack in #core-multisite by websupporter. View the logs.
9 years ago
#10
@
9 years ago
- Keywords has-unit-tests added; needs-unit-tests removed
- Owner set to jeremyfelt
- Status changed from new to reviewing
Thanks @websupporter! Great catch on the initial bug and great work on the patch.
I'm going to leave the error message as is and go with your original patch. I've also added some tests for coverage of wp_authenticate_spam_check.
I had a second look into the
wp_authenticate_spam_check()and was wondering. I found this problem, when I tried to patch #24617. We discussed over there, if we should let the user know, he is marked as spam:We decided to go with a standard message instead. I was now wondering about the message, returned by
wp_authenticate_spam_check():Your account has been marked as a spammerMaybe, we should use also here something more generic to keep it consistent. We could keep the error code (in regards to #19445), but return to the user something like "Your account has been disabled"?
Any thoughts here?