Opened 4 years ago
Closed 4 years ago
#5574 closed defect (bug) (duplicate)
Banned Users are NOT being logged out
Reported by: | Ipstenu | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | General | Keywords: | needs-patch |
Cc: |
Description
A user was banned on Jan 6th (by me)
On Jan 13th, they were still logged in (or were able to log back in) and submitted a plugin.
I'm going to make a related ticket about why on earth a banned user can upload anyway, but this is making it clear that the whole 'banned users get logged out' is not functioning properly.
We need to revisit whatever it is we're doing on banned users to force logout, becuase now the only way to ensure they won't just keep on keeping on is to reset passwords, which alerts people that we changed their passwords and gets them all weird and angry (understandably).
I can provide specifics if needed, but I don't want to name/shame in a ticket.
Change History (3)
#2
follow-up:
↓ 3
@
4 years ago
Countless people have insisted that it does, and we were to NOT reset passwords when banning people. I can trawl back through Slack, but at the very least that's what @otto42 told me, and I believed him.
Now if that is not happening, it needs to, because otherwise you're putting more work on the volunteers rather needlessly.
I guess a fix would be to change the password automatically when a user gets blocked, without sending the default notification email.
Honest to mergatroyd, that's what I (and the Support Team) was told was happening!
I‘m wondering why you think that such functionality exists? Banning a user is just a role/flag which only prevents new logins and password resets.
To force a logout you always have to change the password otherwise existing cookies are still valid.
Unfortunately WordPress.org doesn’t use sessions ([WP29221]) due to Trac not supporting it (and maybe other systems).
I guess a fix would be to change the password automatically when a user gets blocked, without sending the default notification email.