[wp-meta] [Making WordPress.org] #5689: Plugin Directory: Banned Users should not be able to upload plugins
Making WordPress.org
noreply at wordpress.org
Tue Apr 6 02:18:50 UTC 2021
#5689: Plugin Directory: Banned Users should not be able to upload plugins
------------------------------------+-----------------------
Reporter: Ipstenu | Owner: dd32
Type: defect | Status: accepted
Priority: normal | Milestone:
Component: Login & Authentication | Resolution:
Keywords: |
------------------------------------+-----------------------
Changes (by dd32):
* owner: (none) => dd32
* status: new => accepted
* component: General => Login & Authentication
Comment:
This is still very odd, a user blocked two months ago should not have been
able to have an active logged in session, regardless of whether their
password was reset or not. The user was banned prior to #4691 so I'm
pondering if it's a stale cache being used?
I'm not entirely sure how or what is happening here, but a blocked user
having an active session is far more serious than just being able to
submit plugins..
I've added a super-ban-hammer on the `determine_current_user` filter to
absolutely block a blocked user ever having an active session in
r17146-dotorg & r17147-dotorg.
Let's see how that goes, it really shouldn't have been needed, but if this
doesn't fix it...
(If only I could ask a banned user as to how they bypassed it...)
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/5689#comment:1>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list