Making WordPress.org

Changeset 10578


Ignore:
Timestamp:
01/14/2021 05:44:38 AM (4 years ago)
Author:
dd32
Message:

Support Forums: When a user is blocked on the forums, break their password hash to prevent logins and terminate all current sessions (WordPress & Trac).

See #4691.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/support-forums/inc/class-hooks.php

    r10577 r10578  
    128128        // Add a no-reply-to-email suggestion to topic subscription emails
    129129        add_filter( 'bbp_subscription_mail_message', array( $this, 'bbp_subscription_mail_message'), 5, 3 );
     130
     131        // Break users sessions / passwords when they get blocked.
     132        add_action( 'bbp_set_user_role', array( $this, 'user_blocked_password_handler' ), 10, 3 );
    130133    }
    131134
     
    12791282        return $message;
    12801283    }
     1284
     1285    /**
     1286     * Catch a user being blocked / unblocked and set their password appropriately.
     1287     */
     1288    public function user_blocked_password_handler( $new_role, $user_id, \WP_User $user ) {
     1289        global $wpdb;
     1290
     1291        // ~~~ is a reset password on WordPress.org. Let's ignore those.
     1292        if ( '~~~' === $user->user_pass ) {
     1293            return;
     1294        }
     1295
     1296        // bbPress 1.x used `{$user_pass}---{$secret}` while we're using the reverse here.
     1297        // This is to ensure that anything that uses the password hash as part of a cookie no longer validates.
     1298        $blocked_prefix  = 'BLOCKED' . substr( wp_hash( 'bb_break_password' ), 0, 13 ) . '---';
     1299        $blocked_role    = bbp_get_blocked_role();
     1300        $password_broken = ( 0 === strpos( $user->user_pass, $blocked_prefix ) );
     1301
     1302        if ( $blocked_role === $new_role && ! $password_broken ) {
     1303            // User has been blocked, break their password and sessions.
     1304            // WordPress doesn't have a way to edit a user password without re-hashing it.
     1305            $wpdb->update(
     1306                $wpdb->users,
     1307                array(
     1308                    'user_pass' => $blocked_prefix . $user->user_pass,
     1309                ),
     1310                array(
     1311                    'ID' => $user->ID
     1312                )
     1313            );
     1314
     1315            clean_user_cache( $user );
     1316
     1317            // Destroy all of their WordPress sessions.
     1318            $manager = \WP_Session_Tokens::get_instance( $user->ID );
     1319            $manager->destroy_all();
     1320
     1321        } else if (
     1322            $password_broken &&
     1323            ! $user->has_role( $blocked_role )
     1324        ) {
     1325            // User was blocked (broken password) but no longer is.
     1326            // WordPress doesn't have a way to edit a user password without re-hashing it.
     1327            $wpdb->update(
     1328                $wpdb->users,
     1329                array(
     1330                    'user_pass' => substr( $user->user_pass, strlen( $blocked_prefix ) ),
     1331                ),
     1332                array(
     1333                    'ID' => $user->ID
     1334                )
     1335            );
     1336
     1337            clean_user_cache( $user );
     1338        }
     1339    }
    12811340}
Note: See TracChangeset for help on using the changeset viewer.