Skip to:
Content

Opened 5 years ago

Last modified 4 years ago

#2484 reopened defect

Marking participants as spam, marks whole Blogs as spam

Reported by: wpdennis Owned by: johnjamesjacoby
Milestone: 2.8 Priority: omg sweet tea
Severity: critical Version:
Component: API - Roles/Capabilities Keywords: dev-feedback
Cc:

Description

If you mark a user as spam in /wp-admin/network/users.php, it will mark each blog as spam, where the user is participant.

It happens if bbp_allow_global_access() is true in a multisite environment.

The reason seems to be

In multisite with bbp_allow_global_access each participant gets the participant capability and get_user_meta($user_id) will return:

[wp_32_capabilities] => Array
	(
		[0] => a:1:{s:15:"bbp_participant";b:1;}
	)

Where 32 is the blog id.

Marking a user as spam in WordPress calls this:

$blogs = get_blogs_of_user( $val, true );
foreach ( (array) $blogs as $key => $details ) {
	if ( $details->userblog_id != $current_site->blog_id ) // main blog not a spam !
		update_blog_status( $details->userblog_id, 'spam', '1' );
}
update_user_status( $val, 'spam', '1' );

And get_blogs_of_user() uses get_user_meta( $user_id ) to get all 'wp_*_capabilities' keys. Resulting in giving back each blog, where the user is participant and updating it as spam:

foreach ( $keys as $key ) {
	if ( 'capabilities' !== substr( $key, -12 ) )
		continue;
	if ( $wpdb->base_prefix && 0 !== strpos( $key, $wpdb->base_prefix ) )
		continue;
	$blog_id = str_replace( array( $wpdb->base_prefix, '_capabilities' ), '', $key );
[...]

Is this a bbPress Bug? It seems not right to me, to mark every blog as spam where the spamming user has any capabilities at all. On the other hand, in WP itself no one you would mark as spam should have capabilities in the first place.

Or am I overlooking something?

Definitly it's very bad since you can't notice it if you aren't looking into /wp-admin/network/sites.php or visiting the affected blog(s) by yourself.

Change History (9)

#1 @johnjamesjacoby
5 years ago

  • Milestone changed from Awaiting Review to 2.6

I believe this is a WordPress core bug, that we should probably be sensitive to. It's bitten buddypress.org a few times in the past, so we should consider fixing this ourselves.

#2 @wpdennis
5 years ago

I believe this is a WordPress core bug

Yes. And if I think about it... it's not even possible to fix it within bbPress reliable.

Mainly if bbPress is only activated on selected blogs, but not on the main site. With a work around in bbPress, it would require to activate bbPress sitewide or at least on the main site, too.

Not _that_ bad, but what would the workaround be? Hooking wpmuadminedit, checking the $_GET and removing all capabilities if wpmuadminedit is called with allusers => spam?

Sounds messy. It would help for now, since this bug is really "omg sweet tea".

Edited: Found the ticket. For reference: #20774 in WPCore.

Last edited 5 years ago by wpdennis (previous) (diff)

#3 @johnjamesjacoby
5 years ago

Thanks for referencing the core bug. I think we could setup our own spam and unspam functions that closely mirror core, without the several-year-old bugs.

Last edited 5 years ago by johnjamesjacoby (previous) (diff)

#4 @johnjamesjacoby
5 years ago

  • Owner set to johnjamesjacoby

#5 follow-up: @johnjamesjacoby
5 years ago

  • Milestone 2.6 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Going to close this as wontfix; here's why:

In WordPress, marking a user as a spammer is a serious offense. It means we have confirmed that the account as a whole is toxic, and provides no value to the network and community at large. With this in mind, it's working as it's intended to.

bbPress provides the "Spectator" and "Blocked" roles to counter this drastic measure, for members that aren't exactly spammers and maybe could use a time-out. Granted, they can just make a new account or log-out if the forums are otherwise public, but the options still exist.

#6 in reply to: ↑ 5 ; follow-up: @wpdennis
5 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Replying to johnjamesjacoby:

In WordPress, marking a user as a spammer is a serious offense. It means we have confirmed that the account as a whole is toxic, and provides no value to the network and community at large.

Yes exactly.

With this in mind, it's working as it's intended to.

If I have a toxic person (or more likely a link spammer who's registered only to post links in my already established bbPress forums) and I mark him as a spammer in WP (the right action as a site admin):

All blogs get marked as SPAM (my established blogs, not newly created blogs by him)! No one can visit the forums anymore, because he became a participant by posting one single spam post.

I don't see how this can be intended and REALLY hope you reconsider this.

I don't know if you get a notice about this comment. I'll reopen the ticket for reconsideration just to ensure you see my comment, since I still think this is a really, really heavy issue.

#7 @netweb
5 years ago

  • Milestone set to Awaiting Review

#8 in reply to: ↑ 6 @johnjamesjacoby
4 years ago

  • Milestone changed from Awaiting Review to 2.7

Replying to wpdennis:

Replying to johnjamesjacoby:

In WordPress, marking a user as a spammer is a serious offense. It means we have confirmed that the account as a whole is toxic, and provides no value to the network and community at large.

Yes exactly.

With this in mind, it's working as it's intended to.

If I have a toxic person (or more likely a link spammer who's registered only to post links in my already established bbPress forums) and I mark him as a spammer in WP (the right action as a site admin):

All blogs get marked as SPAM (my established blogs, not newly created blogs by him)! No one can visit the forums anymore, because he became a participant by posting one single spam post.

I don't see how this can be intended and REALLY hope you reconsider this.

I don't know if you get a notice about this comment. I'll reopen the ticket for reconsideration just to ensure you see my comment, since I still think this is a really, really heavy issue.

I understand what you're saying, and agree the experience is less than optimal. We can take some measures in bbPress & BuddyPress to own the experience, but I stand firm this is more of a WordPress core issue than it is ours.

Bumping to 2.7 pending more attention and a patch.

#9 @johnjamesjacoby
4 years ago

  • Milestone changed from 2.7 to 2.8

Bumping all 2.7 to 2.8 milestone.

Note: See TracTickets for help on using tickets.