[wp-meta] [Making WordPress.org] #4691: Break Password Hash when user is blocked

Making WordPress.org noreply at wordpress.org
Fri Aug 30 21:20:24 UTC 2019 

#4691: Break Password Hash when user is blocked
----------------------------+---------------------
 Reporter:  Ipstenu         |       Owner:  (none)
     Type:  enhancement     |      Status:  new
 Priority:  normal          |   Milestone:
Component:  Support Forums  |  Resolution:
 Keywords:                  |
----------------------------+---------------------

Comment (by Ipstenu):

 Looking at the post, I said the wrong thing.

 > When an account its blocked, the email is changed.

 That should be

 > When an account its blocked, the PASSWORD is changed.

 :facepalm:

 Mangling the password would be all that's needed. If we trash the email,
 then they can make a new account with the same email. Changing the
 passwords will effectively break sessions, so that's why we would want
 that.

 > The goal in this issue (paraphrasing) is to invent a way to lock an
 account permanently.

 The goal in this issue was to make it easier for moderators to ban
 problematic people without having to remember the extra step of "Oh and
 ALSO do this to the passwords." Changing a user to blocked is sufficient,
 because we wrote code the other way in many places. That is, we check on
 the role for the forums. So an example is plugins. If your account is
 blocked on the forums, you can't be added to a plugin's committer list and
 you can't submit new plugins. This is because we know that if someone's
 blocked on forums, there's a reason.

 Locking permanently is a larger issue, but if we can ensure a blocked user
 is logged out and can't log back in as THAT account, then it minimizes
 human error on our end and prevents the problematic user from reusing THAT
 account.

 Can they make a new one? Of course. But that should never be an excuse to
 not do ''something'' :) People who are going to make multiple accounts
 would be a problem anyway, and that needs a totally separate kind of
 solution.

 Perma-sitewide locking would be cool. It would need to loop in a lot of
 things like auto-closing all plugins/themes and revoking SVN access. :)

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/4691#comment:15>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list