Skip to:
Content

BuddyPress.org

Opened 2 months ago

Closed 8 weeks ago

#8316 closed defect (bug) (fixed)

Multisite: Marking a user as a spammer can unintentionally mark legitimate sites as spam as well

Reported by: r-a-y Owned by: r-a-y
Milestone: 6.1.0 Priority: high
Severity: major Version: 1.6
Component: Members Keywords: has-patch commit
Cc:

Description

The problem occurs in bp_core_process_spammer_status().

The call to fetch a user's sites via get_blogs_of_user() doesn't take into account whether other users might be an administrator of the site.

If the site has more than one admin, we shouldn't mark the site as spam since the site might be active.


Attached patch includes a fix and unit test.

I opted to replace the call to get_blogs_of_user() with a lighter version that doesn't pull up the site object for each site. This logic is pulled from get_blogs_of_user(): https://github.com/WordPress/WordPress/blob/5.4-branch/wp-includes/user.php#L654-L669.

To determine if the site has more than one admin, I'm using count_users().

Attachments (1)

8316.01.patch (3.1 KB) - added by r-a-y 2 months ago.

Download all attachments as: .zip

Change History (5)

@r-a-y
2 months ago

#1 @imath
2 months ago

  • Keywords commit added

Hi @r-a-y thanks a lot for you ticket/patch and unit test 💪

  • I confirm the issue,
  • I confirm the patch is fixing it.

Patch looks good to me, let's have it in!

#2 @boonebgorges
8 weeks ago

Thanks, @r-a-y - I agree that this is a good approach. Thanks for the patch!

#3 @r-a-y
8 weeks ago

In 12665:

Members: When marking a user as a spammer, do not mark sites as spam if the site has more than one administrator.

Previously on a multisite install, we would mark all the spammer's
sites as spam. This is pretty aggressive and could unintentionally
mark legitmiate sites as spam as well.

To address this, we now only mark a site as spam if the spammer is the
sole administrator of the site.

See #8316 (for trunk).

#4 @r-a-y
8 weeks ago

  • Owner set to r-a-y
  • Resolution set to fixed
  • Status changed from new to closed

In 12666:

Members: When marking a user as a spammer, do not mark sites as spam if the site has more than one administrator.

Previously on a multisite install, we would mark all the spammer's
sites as spam. This is pretty aggressive and could unintentionally
mark legitmiate sites as spam as well.

To address this, we now only mark a site as spam if the spammer is the
sole administrator of the site.

Fixes #8316 (for 6.0 branch).

Note: See TracTickets for help on using tickets.