From 949c53cae187ba4e9cc63e51d0954372ae4a7418 Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Mon, 29 Jul 2013 03:23:51 +0000 Subject: [PATCH] Remove "special" multisite spam check in the authentication API. The spamming of a site no longer directly affects a user of said site. Moves the spam check to the wp_authenticate filter. Networks in need of enhanced spam-fighting should leverage this same technique. Allow is_user_spammy() to accept a WP_User object. props willnorris, brianhogg. fixes #24771. see #19714. git-svn-id: https://develop.svn.wordpress.org/trunk@24848 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-includes/default-filters.php | 4 ++++ wp-includes/ms-functions.php | 15 +++++++++------ wp-includes/user.php | 29 ++++++++++++++++------------- 3 files changed, 29 insertions(+), 19 deletions(-) diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php index de97238fad..5642829e56 100644 --- a/wp-includes/default-filters.php +++ b/wp-includes/default-filters.php @@ -299,4 +299,8 @@ add_action( 'admin_enqueue_scripts', 'wp_auth_check_load' ); add_filter( 'heartbeat_received', 'wp_auth_check', 10, 2 ); add_filter( 'heartbeat_nopriv_received', 'wp_auth_check', 10, 2 ); +// Default authentication filters +add_filter( 'authenticate', 'wp_authenticate_username_password', 20, 3 ); +add_filter( 'authenticate', 'wp_authenticate_spam_check', 99 ); + unset($filter, $action); diff --git a/wp-includes/ms-functions.php b/wp-includes/ms-functions.php index 1037a9f387..bb58c6fa71 100644 --- a/wp-includes/ms-functions.php +++ b/wp-includes/ms-functions.php @@ -1705,14 +1705,17 @@ function fix_phpmailer_messageid( $phpmailer ) { * @since MU * @uses get_user_by() * - * @param string $user_login Optional. Defaults to current user. + * @param string|WP_User $user Optional. Defaults to current user. WP_User object, + * or user login name as a string. * @return bool */ -function is_user_spammy( $user_login = null ) { - if ( $user_login ) - $user = get_user_by( 'login', $user_login ); - else - $user = wp_get_current_user(); +function is_user_spammy( $user = null ) { + if ( ! is_a( $user, 'WP_User' ) ) { + if ( $user ) + $user = get_user_by( 'login', $user ); + else + $user = wp_get_current_user(); + } return $user && isset( $user->spam ) && 1 == $user->spam; } diff --git a/wp-includes/user.php b/wp-includes/user.php index bc583a5789..718ae19bf4 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -89,19 +89,6 @@ function wp_authenticate_username_password($user, $username, $password) { if ( !$user ) return new WP_Error( 'invalid_username', sprintf( __( 'ERROR: Invalid username. Lost your password?' ), wp_lostpassword_url() ) ); - if ( is_multisite() ) { - // Is user marked as spam? - if ( 1 == $user->spam ) - return new WP_Error( 'spammer_account', __( 'ERROR: Your account has been marked as a spammer.' ) ); - - // Is a user's blog marked as spam? - if ( !is_super_admin( $user->ID ) && isset( $user->primary_blog ) ) { - $details = get_blog_details( $user->primary_blog ); - if ( is_object( $details ) && $details->spam == 1 ) - return new WP_Error( 'blog_suspended', __( 'Site Suspended.' ) ); - } - } - $user = apply_filters('wp_authenticate_user', $user, $password); if ( is_wp_error($user) ) return $user; @@ -140,6 +127,22 @@ function wp_authenticate_cookie($user, $username, $password) { return $user; } +/** + * For multisite blogs, check if the authenticated user has been marked as a + * spammer, or if the user's primary blog has been marked as spam. + * + * @since 3.7.0 + */ +function wp_authenticate_spam_check( $user ) { + if ( $user && is_a( $user, 'WP_User' ) && is_multisite() ) { + $spammed = apply_filters( 'check_is_user_spammed', is_user_spammy(), $user ); + + if ( $spammed ) + return new WP_Error( 'spammer_account', __( 'ERROR: Your account has been marked as a spammer.' ) ); + } + return $user; +} + /** * Number of posts user has written. *