Making WordPress.org

Changeset 10579


Ignore:
Timestamp:
01/14/2021 06:06:09 AM (4 years ago)
Author:
dd32
Message:

Authentication: Display the blocked user warning upon attempting to login after [10578].

See #4691.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/common/includes/wporg-sso/wp-plugin.php

    r10317 r10579  
    5656
    5757                add_filter( 'allow_password_reset', array( $this, 'disable_password_reset_for_blocked_users' ), 10, 2 );
    58                 add_filter( 'authenticate', array( $this, 'authenticate_block_check' ), 30 );
     58                add_filter( 'authenticate', array( $this, 'authenticate_block_check' ), 5, 2 );
    5959
    6060                add_filter( 'password_change_email', array( $this, 'replace_admin_email_in_change_emails' ) );
     
    9090         * @param WP_User|WP_Error|null $user WP_User or WP_Error object if a previous
    9191         *                                    callback failed authentication.
     92         * @param string $user_login The user login attmpting to login.
    9293         * @return WP_User|WP_Error WP_User on success, WP_Error on failure.
    9394         */
    94         public function authenticate_block_check( $user ) {
    95             if ( $user instanceof WP_User && defined( 'WPORG_SUPPORT_FORUMS_BLOGID' ) ) {
    96                 $support_user = new WP_User( $user->ID, '', WPORG_SUPPORT_FORUMS_BLOGID );
    97 
    98                 if ( ! empty( $support_user->allcaps['bbp_blocked'] ) ) {
     95        public function authenticate_block_check( $user, $user_login ) {
     96
     97            $support_user = get_user_by( 'login', $user_login );
     98            if ( $support_user && defined( 'WPORG_SUPPORT_FORUMS_BLOGID' ) ) {
     99                $support_user->for_site( WPORG_SUPPORT_FORUMS_BLOGID );
     100
     101                if (
     102                    'BLOCKED' === substr( $support_user->user_pass, 0, 7 ) ||
     103                    ! empty( $support_user->allcaps['bbp_blocked'] )
     104                ) {
     105                    // Returning a WP_Error from an authenticate filter doesn't block auth, as a later hooked item can return truthful.
     106                    // By removing all actions, we can catch both the bbp_blocked role for old users, and those whose passwords were broken via https://meta.trac.wordpress.org/changeset/10578
     107                    remove_all_actions( 'authenticate' );
     108
    99109                    return new WP_Error(
    100110                        'blocked_account',
Note: See TracChangeset for help on using the changeset viewer.