(phpbb) banned users can login / change pages

Question

(phpbb) banned users can login / change pages

abma opened this issue 8 years ago · 3 comments

idk how to check the banned state but it seems the plugin doesn't check ban state of a user in phpbb.

Answer 1 · 2017-02-15T13:14:12.000Z

Correct it doesn't, it only checks whether the user is active or not, and whether the user is in the proper group.

We wouldn't be able to change it so banned users can't view the wiki, and it might be hard to check for banned emails/IPs, but we could probably make it check for banned users.

Answer 2 · 2017-02-20T18:42:40.000Z

The banned users table (banlist) can be checked by user ID (ban_userid - indexed as ban_user:ban_userid + ban_exclude), email (ban_email), or IP (ban_ip). Need to consider users.user_id, users.user_email, banlist.ban_userid, banlist.ban_email, and banlist.ban_ip in the SELECT, given $username in getCanonicalName(). $username will be IP for anonymous users. IP can be wildcarded in banlist.ban_ip, so a little more effort there.

Answer 3 · 2017-03-20T13:05:09.000Z

phpbb/session.php has a method check_ban, we should probably just use that method.