Closed herbdool closed 3 years ago
Thank you for testing, I've found already some other false positives - "fck" and "wp-*" can be found within hashed js/css paths. The quick fix to prevent it - start such defaults with opening slash, e.g. "/administrator", "/fck", "/wp-*" and so on.
Starting point for defining unblockable patterns already exist as variable named "path_noblock" with only one value "user/" but haven't GUI for add settings yet. I think is good idea to add this element.
Any suggestions for protected by default patterns?
user/,admin/
... more?
Resolved in new release.
With the default patterns in this module there's a really easy way to get banned. Just go to
/admin/people/list?status=All&role=administrator&username=
where it filters by the administrator role.The quick fix is to remove administrator from the pattern list. But this item should probably not be in the default list.
Might be good to also have a whitelist to prevent some users from being banned, such as https://www.drupal.org/project/autoban has.