Skip to:

Opened 2 weeks ago

Last modified 2 weeks ago

#3262 new enhancement

Invalidate user cookies when blocked role is applied

Reported by: pierlo Owned by:
Milestone: Awaiting Review Priority: high
Severity: normal Version: trunk
Component: API - Roles/Capabilities Keywords: has-patch dev-feedback


As discussed in #4691 on the WP Trac, assigning the 'blocked' role to a user should invalidate their cookies. In bbPress 1.2, this was done by appending '---' to the password hash.

Testing this method does not work in WordPress 5.3, and instead in the patch attached I've gone with prefixing an underscore to the hash. This produces an invalid hash when being compared with a plaintext password, and thus logins fail without error.

One thing to note is when default roles are being remapped, it will 'fix' the broken hashes if the user was previously blocked.

Attachments (1)

3262.patch (5.7 KB) - added by pierlo 2 weeks ago.

Download all attachments as: .zip

Change History (1)

2 weeks ago

Note: See TracTickets for help on using tickets.