File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JForum and the fly likes Is it possible to disable an account? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JForum
Bookmark "Is it possible to disable an account?" Watch "Is it possible to disable an account?" New topic
Author

Is it possible to disable an account?

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
There is a user who is posting unacceptable posts. I have locked his account but he is still able to log in and post. I have seen this with users in the past. Is there any way to actually prevent a user from logging in, ie, to disable an account? If that isn't possible, JForum is fatally flawed.

[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
What version of Jforum are you using? I ran into this in the earlier versions (i.e. 2.1.4-2.1.6). Sometimes clearing the session cache will drop them off if they are still logged in when you disable their account. You could also manually change their password in the DB to prevent them from logging in ... somewhat clumsy, but should work.

[originally posted on jforum.net by GatorBait3]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
This is with 2.1.7. When this happened before, I cleared the jforum_sessions table. I restarted the server. Nothing help until I changed a value in the jforum properties file.

This is a critical bug in JForum. All the login scripts should check, "is this user locked". All the posting scripts should check that. The PM scripts should check that. Users shouldn't be able to do anything when their accounts are locked. As it is it seems to have no effect at all.

[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
And what makes it the worst is that users figure out, "hey he has no way of disabling my account" and then they go crazy with the posts.

There should be an emergency release to fix this. At this point I would not recommend this software to anyone because once someone has an account, he basically has the ability to post whatever he wants whenever he wants.
[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
As described - why dont you just change the password on the user? or delete him, updating the forum posts table to set the posts either to written by "Deleted user" or delete them... ^^

The magic of SQL provides alot of tricks to help admins on getting rid of users ;)
[originally posted on jforum.net by Sid]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I did change the password. Nothing works. Once someone has an account, the admin has no way to control him from posting, other than going through and deleting his posts.

This is bad. I want to prevent a certain user from posting, or PMing. Honestly, this problem is a show-stopper critical bug in JForum. If the forum admin can't prevent a user from posting, then the admin has no control of the website. Why even bother to have passwords and users? Just let anyone post anything.

I would not recommend JForum to anyone until this is fixed. I regret using it but a) it's too late to switch and b) I don't know of any other forum software in Java.

[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
CaliforniaCCW wrote:I did change the password. Nothing works. Once someone has an account, the admin has no way to control him from posting, other than going through and deleting his posts.

This is bad. I want to prevent a certain user from posting, or PMing. Honestly, this problem is a show-stopper critical bug in JForum. If the forum admin can't prevent a user from posting, then the admin has no control of the website. Why even bother to have passwords and users? Just let anyone post anything.

I would not recommend JForum to anyone until this is fixed. I regret using it but a) it's too late to switch and b) I don't know of any other forum software in Java.

If you manually changed his password in the SQL table and reset the session cache in the Admin console, he shouldn't be able to log back in. I am also assuming that you have anonymous posting turned off.

And, agreed, it is serious! I'm off to check my test install now ....

[originally posted on jforum.net by GatorBait3]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I found that banning by email had no effect, even after clearing the sessions.

However, banning by user ID worked fine ... I was presented with this message: You have been banned from this forum. If you have any questions, please contact the Administrator. Thank you. and could not log in.

Now, the user ID is NOT the username! Use the UserID listed next to the user in the Admin console. Then do a ban based on userID, and be sure to clear the sessions kick him off (Admin Console / Cache / Sessions - Clear).

That seems to work just fine.

[edit] this was using version JForum 2.1.7[/edit]


[originally posted on jforum.net by GatorBait3]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Cool, thank you for the tip on that! I just put in a ban on that user id. Hopefully this will work. It's fine if it works but it would be a lot more logical if locking a user would accomplish the same thing. That's my recommendation for the JF devs. It should be a small change somewhere, I would think.

[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
And he's logged in still. I put in the user ID in the ban list. I cleared the session cache. This is a fatal fatal flaw in JForum and it has been this way for a long time. Hello, it is a very small code change to fix this. I once found that changing the user.hash.sequence properties value worked, but that required me to reset the server.

This is really bad! The moment someone has an account, the admin no longer has control of the site!

We might as well not have passwords, or just give everyone admin.

[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
The Admin Console / Cache / Sessions - Clear should log EVERYONE off ... including you. Is this not the case?
[originally posted on jforum.net by GatorBait3]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
It does, indeed, log everyone off. And I put that guy's user ID in the ban list, locked his account, and changed his password. And he still is able to log in. Really, once someone has an account, that person can't be stopped, from what I can tell.

I am using Postgres as the DB. Is that a factor? Maybe there is a bug in one of the Postgres queries, where it is not properly checking these things?

[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
CaliforniaCCW wrote:It does, indeed, log everyone off. And I put that guy's user ID in the ban list, locked his account, and changed his password. And he still is able to log in. Really, once someone has an account, that person can't be stopped, from what I can tell.

I am using Postgres as the DB. Is that a factor? Maybe there is a bug in one of the Postgres queries, where it is not properly checking these things?

My tests were with MySQL. I only used the "ban by user ID" (i.e. didn't lock the acct or change passwd) and I could not log back in with the banned account.
[originally posted on jforum.net by GatorBait3]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
are you using some sort of sso or did you change the authentication classes california?
[originally posted on jforum.net by Sid]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Is it possible to disable an account?
 
Similar Threads
html:link disable
Disabling image
Tomcat 4.1 installation
invoking java EJB client for IBM WAS advanced edition 3.5
Disable Register