Opened 9 years ago
Closed 8 years ago
#6816 closed defect (bug) (worksforme)
Delete records of spam users in not-activated users list on bp-signups
Reported by: | slaFFik | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | |
Cc: |
Description
When marking user as spammer appropriate record is not deleted from /wp-admin/users.php?page=bp-signups
, although all other data (like created spam groups) is deleted.
Change History (16)
#2
@
9 years ago
1) New user X registered
2) X was sent an email to activate his account, he is listed on /wp-admin/users.php?page=bp-signups
page
3) X didn't follow the link in email, so the record about him is sill on bp-signups
page
4) X can create group (spam content)
5) Admin saw that and wants to mark the user as spammer on wp-admin/users.php
page
6) X is marked as spammer (and his spam group and all other content was deleted properly)
7) X is still listed on /wp-admin/users.php?page=bp-signups
page, as his account was not activated.
IMO, we should remove users from bp-signups
page if they are marked as spammers (as all their content was also removed).
AND we should not allow to create groups until he activates his account :)
All that on ordinary WordPress (not MS) with BuddyPress 2.4.3
#3
@
9 years ago
Also, I even don't think that anyone can unspam user. I'm admin of a social network on BuddyPress, I'm marking users as spammers before removing them in hope that akismet gets that data.
#4
@
9 years ago
Is what you described in 1) to 7) still happening if define( 'BP_SIGNUPS_SKIP_USER_CREATION', true );
?
4) a not activated account on non ms site can create groups ? I'd be interested to have the way to reproduce this.
Are you sure there's not a plugin/custom code that would activate the user forgetting to update the signups table ?
if the action unspam exists, there must be a reason :)
#5
@
9 years ago
There is an Unspam link for users that were marked as spam (/wp-admin/users.php?action=ham&user=2738&_wpnonce=c42331c937
).
I have Limit Login Attempts, Wordfence Security & Stop Spammers Spam Control plugins activated. I'm not sure that I will be dare enough to try to reproduce on a live site without these plugins.
But I will test with that define
(I put it in bp-custom.php
).
#7
@
9 years ago
Is what you described in 1) to 7) still happening if define( 'BP_SIGNUPS_SKIP_USER_CREATION', true ); ?
Yes, everything seems to be the same (1,2,3,5,6,7; there are not spam groups created from that time, but dunno whether it's related to this define
or not).
#8
@
9 years ago
config is multisite or not ?
i assumed it wasn't a multisite because the user was created. Using the constant is making sure the user is not created for non multisite configs.
So i'm a bit amazed that you have steps > 3.
#10
@
9 years ago
Are you sure that having the constant set, you still have :
4) X can create group (spam content)
5) Admin saw that and wants to mark the user as spammer on wp-admin/users.php page
6) X is marked as spammer (and his spam group and all other content was deleted properly)
7) X is still listed on /wp-admin/users.php?page=bp-signups page, as his account was not activated.
Using the constant, as the user is not created unless the account is activated using the activate link, it's very strange to still have 5 to 7.
I would expect that if the user is created, then the account has been activated, then, at least point 7 should disappear.
#11
@
9 years ago
Finally got what you mean, sort of.
There was no new spam groups, because I disabled groups creations. Reenabled again. So that's why there was no 4).
5) and 6) are still valid.
7) Not listed.
Hi @slaFFik,
Just to make sure i understand this ticket.
A user signs up. He's not listed into the users but in pending accounts. As he's not a user yet you can't spam him.
He activates his account, then he's listed into users, so you can spam him but as he's already no more listed in pending accounts, i don't see why it's necessary to delete the row in
$wpdb->signups
. Moreover i think it's too bad to do so as we won't be able to rebuild this registration data when you unspam the user.So i think i'd leave it the way it is, just like WordPress multisite configs are doing by default.
If i didn't understand the ticket, feel free to develop your idea :)