Opened 5 years ago
Last modified 5 years ago
#3262 assigned enhancement
Invalidate user cookies when blocked role is applied
Reported by: | pierlo | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | 2.7 | Priority: | high |
Severity: | normal | Version: | trunk |
Component: | API - Roles/Capabilities | Keywords: | has-patch dev-feedback |
Cc: |
Description
As discussed in #4691 on the WP Trac, assigning the 'blocked' role to a user should invalidate their cookies. In bbPress 1.2, this was done by appending '---' to the password hash.
Testing this method does not work in WordPress 5.3, and instead in the patch attached I've gone with prefixing an underscore to the hash. This produces an invalid hash when being compared with a plaintext password, and thus logins fail without error.
One thing to note is when default roles are being remapped, it will 'fix' the broken hashes if the user was previously blocked.
Attachments (1)
Change History (8)
This ticket was mentioned in Slack in #bbpress by pierlo. View the logs.
5 years ago
#3
@
5 years ago
That make sense. I guess that would reside in the Forums Settings with options like "Block from forums and site" and "Block from forums only". Wouldn't want too much options deviating from that.
I think this patch is a good first effort.
Remember that the default experience in bbPress is that Forum roles are separate from Site roles, so it is expected for a user account to be Blocked from the Forums without also being Blocked from the Site.
Perhaps we consider adding a setting to allow Forum owners to set what happens when a user is blocked? For example, a multisite installation may also want to mark that account as Deleted or Spam? What do you think?