aspose file tools*
The moose likes JForum and the fly likes Banning users isn't working Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Products » JForum
Bookmark "Banning users isn Watch "Banning users isn New topic
Author

Banning users isn't working

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I have upgraded to 2.1.7. I need to ban users occasionally. I go to the admin panel and lock their accounts, and they are still able to log in. I go into the database itself and update the password field, changing one letter in the password hash, and they are still able to post for some reason!

What do I need to do to REALLY prevent a user from logging in? Like, "you can't log in, period".

I've also added their emails to the ban list. None of this seems to make any difference.

Surely there's a way to block a user from logging in?

[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Ok this is totally driving me crazy. Does JForum do any authentication at all? Here's a user in the user table:



That's literally what is there. The password is literally set to 'xxx' in the database. I did that by hand, with "update jforum_users set user_password = " when it became clear that JForum's delete user function the admin panel doesn't do anything.

I reset the server. And this user is still able to log in, and he shows up on the active users list at the bottom of the page. I have no idea what password he's using because it's impossible for any password to hash to 'xxx', so I have to assume that the authentication functions in JForum are 100% broken if this is happening.

Someone please tell me, it's possible to block users from logging in? This is totally insane if there's no way to kick someone out of a forum. How do I do it?

The "block user" function should a) set the deleted value in the DB (it does that ) and b) evict that user from all caches and sessions. This is such basic functionality. Is this going to be included in some version of JForum at some point?

I opened a "blocker" level issue on this:

http://www.jforum.net/jira/browse/JF-647


[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Help, I can't control my forum. There seems to be literally no way to prevent a user from logging in, after that user has set up an account. I edited config/web.xml in the server to make it not store session on disk, and reset the server, and deleted entries from jforum_sessions which correspond to the user IDs I want to block. None of this works. I may need to shut this whole forum down until this can be resolved.

This is a critical security bug in JForum!

Can anyone point me to where in the code I could start fixing this?

[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Help, is there any quick hack to fix this? I have two user IDs that I want to never ever be able to log in, post messages, or use PMs. Can anyone suggest how I could modify one of the templates to check the user ID, and if it matches some particular value, just stop rendering the page? I'm desperate to be able to block some users out of the forum because I basically need to shut down the entire thing if I can't block them out.

This is an absolutely fatal, beyond blocking bug in JForum. I would say that 2.1.7 should be pulled until this can be fixed.

[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Maybe there is no reply because they really wanted to ban him, but couldn't, because it's broken. LOL
[originally posted on jforum.net by jenamon]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hmm.. the fact that no one ever responded to these messages scares me a little.

What happened here?

[originally posted on jforum.net by jax]
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Banning users isn't working
 
Similar Threads
Security
Tomcat 7.0.0 Manager Access
Sys user as sysdba
Is it possible to disable an account?
how do you store user's password?