Opened 11 years ago
Last modified 13 months ago
#2484 reopened defect (bug)
Marking participants as spam, marks whole Blogs as spam
Reported by: | wpdennis | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | 2.8 | Priority: | omg sweet tea |
Severity: | critical | Version: | |
Component: | API - Roles/Capabilities | Keywords: | dev-feedback |
Cc: |
Description
If you mark a user as spam in /wp-admin/network/users.php, it will mark each blog as spam, where the user is participant.
It happens if bbp_allow_global_access() is true in a multisite environment.
The reason seems to be
In multisite with bbp_allow_global_access each participant gets the participant capability and get_user_meta($user_id) will return:
[wp_32_capabilities] => Array ( [0] => a:1:{s:15:"bbp_participant";b:1;} )
Where 32 is the blog id.
Marking a user as spam in WordPress calls this:
$blogs = get_blogs_of_user( $val, true ); foreach ( (array) $blogs as $key => $details ) { if ( $details->userblog_id != $current_site->blog_id ) // main blog not a spam ! update_blog_status( $details->userblog_id, 'spam', '1' ); } update_user_status( $val, 'spam', '1' );
And get_blogs_of_user() uses get_user_meta( $user_id ) to get all 'wp_*_capabilities' keys. Resulting in giving back each blog, where the user is participant and updating it as spam:
foreach ( $keys as $key ) { if ( 'capabilities' !== substr( $key, -12 ) ) continue; if ( $wpdb->base_prefix && 0 !== strpos( $key, $wpdb->base_prefix ) ) continue; $blog_id = str_replace( array( $wpdb->base_prefix, '_capabilities' ), '', $key ); [...]
Is this a bbPress Bug? It seems not right to me, to mark every blog as spam where the spamming user has any capabilities at all. On the other hand, in WP itself no one you would mark as spam should have capabilities in the first place.
Or am I overlooking something?
Definitly it's very bad since you can't notice it if you aren't looking into /wp-admin/network/sites.php or visiting the affected blog(s) by yourself.
Change History (9)
#2
@
11 years ago
I believe this is a WordPress core bug
Yes. And if I think about it... it's not even possible to fix it within bbPress reliable.
Mainly if bbPress is only activated on selected blogs, but not on the main site. With a work around in bbPress, it would require to activate bbPress sitewide or at least on the main site, too.
Not _that_ bad, but what would the workaround be? Hooking wpmuadminedit, checking the $_GET and removing all capabilities if wpmuadminedit is called with allusers => spam?
Sounds messy. It would help for now, since this bug is really "omg sweet tea".
Edited: Found the ticket. For reference: #20774 in WPCore.
#3
@
11 years ago
Thanks for referencing the core bug. I think we could setup our own spam and unspam functions that closely mirror core, without the several-year-old bugs.
#5
follow-up:
↓ 6
@
11 years ago
- Milestone 2.6 deleted
- Resolution set to wontfix
- Status changed from new to closed
Going to close this as wontfix; here's why:
In WordPress, marking a user as a spammer is a serious offense. It means we have confirmed that the account as a whole is toxic, and provides no value to the network and community at large. With this in mind, it's working as it's intended to.
bbPress provides the "Spectator" and "Blocked" roles to counter this drastic measure, for members that aren't exactly spammers and maybe could use a time-out. Granted, they can just make a new account or log-out if the forums are otherwise public, but the options still exist.
#6
in reply to:
↑ 5
;
follow-up:
↓ 8
@
11 years ago
- Resolution wontfix deleted
- Status changed from closed to reopened
Replying to johnjamesjacoby:
In WordPress, marking a user as a spammer is a serious offense. It means we have confirmed that the account as a whole is toxic, and provides no value to the network and community at large.
Yes exactly.
With this in mind, it's working as it's intended to.
If I have a toxic person (or more likely a link spammer who's registered only to post links in my already established bbPress forums) and I mark him as a spammer in WP (the right action as a site admin):
All blogs get marked as SPAM (my established blogs, not newly created blogs by him)! No one can visit the forums anymore, because he became a participant by posting one single spam post.
I don't see how this can be intended and REALLY hope you reconsider this.
I don't know if you get a notice about this comment. I'll reopen the ticket for reconsideration just to ensure you see my comment, since I still think this is a really, really heavy issue.
#8
in reply to:
↑ 6
@
10 years ago
- Milestone changed from Awaiting Review to 2.7
Replying to wpdennis:
Replying to johnjamesjacoby:
In WordPress, marking a user as a spammer is a serious offense. It means we have confirmed that the account as a whole is toxic, and provides no value to the network and community at large.
Yes exactly.
With this in mind, it's working as it's intended to.
If I have a toxic person (or more likely a link spammer who's registered only to post links in my already established bbPress forums) and I mark him as a spammer in WP (the right action as a site admin):
All blogs get marked as SPAM (my established blogs, not newly created blogs by him)! No one can visit the forums anymore, because he became a participant by posting one single spam post.
I don't see how this can be intended and REALLY hope you reconsider this.
I don't know if you get a notice about this comment. I'll reopen the ticket for reconsideration just to ensure you see my comment, since I still think this is a really, really heavy issue.
I understand what you're saying, and agree the experience is less than optimal. We can take some measures in bbPress & BuddyPress to own the experience, but I stand firm this is more of a WordPress core issue than it is ours.
Bumping to 2.7 pending more attention and a patch.
I believe this is a WordPress core bug, that we should probably be sensitive to. It's bitten buddypress.org a few times in the past, so we should consider fixing this ourselves.