Making WordPress.org

Opened 4 years ago

Closed 4 years ago

#5574 closed defect (bug) (duplicate)

Banned Users are NOT being logged out

Reported by: ipstenu's profile Ipstenu Owned by:
Milestone: Priority: normal
Component: General Keywords: needs-patch
Cc:

Description

A user was banned on Jan 6th (by me)

On Jan 13th, they were still logged in (or were able to log back in) and submitted a plugin.

I'm going to make a related ticket about why on earth a banned user can upload anyway, but this is making it clear that the whole 'banned users get logged out' is not functioning properly.

We need to revisit whatever it is we're doing on banned users to force logout, becuase now the only way to ensure they won't just keep on keeping on is to reset passwords, which alerts people that we changed their passwords and gets them all weird and angry (understandably).

I can provide specifics if needed, but I don't want to name/shame in a ticket.

Change History (3)

#1 @ocean90
4 years ago

that the whole 'banned users get logged out' is not functioning properly

I‘m wondering why you think that such functionality exists? Banning a user is just a role/flag which only prevents new logins and password resets.

To force a logout you always have to change the password otherwise existing cookies are still valid.

Unfortunately WordPress.org doesn’t use sessions ([WP29221]) due to Trac not supporting it (and maybe other systems).

I guess a fix would be to change the password automatically when a user gets blocked, without sending the default notification email.

Last edited 4 years ago by ocean90 (previous) (diff)

#2 follow-up: @Ipstenu
4 years ago

Countless people have insisted that it does, and we were to NOT reset passwords when banning people. I can trawl back through Slack, but at the very least that's what @otto42 told me, and I believed him.

Now if that is not happening, it needs to, because otherwise you're putting more work on the volunteers rather needlessly.

I guess a fix would be to change the password automatically when a user gets blocked, without sending the default notification email.

Honest to mergatroyd, that's what I (and the Support Team) was told was happening!

#3 in reply to: ↑ 2 @dd32
4 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

Replying to Ipstenu:

Countless people have insisted that it does, and we were to NOT reset passwords when banning people.

Yeah no, this is a long term known thing.. Banning users doesn't reset their cookies.

#4691

Note: See TracTickets for help on using tickets.