Login page and forgot pw page are not checking if a user or IP is blocked

q2a / question2answer

Question2Answer is a free and open source platform for Q&A sites, running on PHP/MySQL.

http://www.question2answer.org/

GNU General Public License v3.0

1.63k stars 628 forks source link

Login page and forgot pw page are not checking if a user or IP is blocked #940

Closed q2apro closed 8 months ago

q2apro commented 2 years ago

Register and Login page are not checking if a user or IP is blocked

Should be implemented.

/qa-include/pages/login.php /qa-include/pages/forgot.php

if (qa_is_ip_blocked())
{
    $errors['password'] = 'IP blocked';
}

and

// check if account is blocked (login page)
$userdata = qa_db_read_one_assoc(qa_db_query_sub('
                SELECT flags 
                FROM `^users`
                WHERE userid = #
                ', $inuserid), true);

if ($userdata['flags'] & QA_USER_FLAGS_USER_BLOCKED)
{
    $errors['password'] = 'Account blocked'; // qa_lang()
}

svivian commented 1 year ago

Blocked users are allowed to log in, but they cannot post anything. I think that's fair, maybe there's something in their account they want to see. They might only be temporarily banned depending on the site's rules.