As designed Rejected user can use contact us even though permission is set to never

K

Kirby

Well-known member
Affected version
2.1.10
We've got a spam user that was rejected but still does spam contact us, so we've set the permission to never.
Analyze permissions does show that the user can't use contact us, but in fact this is still possible.
 
Are they banned or rejected? Or are they banned and rejected?

Unban them and I think that might stop the situation you're seeing.
 
The user is only rejected. If the user is banned (no matter if he is rejected or valid) the permission does work.
This also happens when the user has any other state except Valid.
 
Last edited:
Right, fair enough, I read the code backwards.

The failure here is that when the permissions for this user are checked, e.g.

PHP: 
$this->hasPermission('general', 'useContactForm')

Their permissions are checked against the "Unregistered / Unconfirmed" group as is standard when a user's account is no longer valid. User permissions are unable to override this.

Clearly the workaround for now is to ban the user (or set Unregistered / unconfirmed permissions to no), but we'll consider if changes need to be made in this particular case.
 
Setting Contact us permissions to no for Unregistered unfortunately is not an option as we do want guests and all non-valid users to be able to use Contact us unless the permission is explcitly set to No or Never for spefific users.
 
Ban his IP. And then ban his IP for the contact form.

Not sure if that second ban requires this add-on:

xenforo.com

[OzzModz] Contact Us Spaminator

Sick and tired of your inbox getting flooded with spam coming from the "Contact Us" system on your xenforo install(s)? You've tried everything and still it persists? You even shut off the "Contact Us" form to guest visitors? You need the...
xenforo.com xenforo.com
 
So we have just made a tweak here, though in terms of what's being reported, I think we'd consider it as designed: we want users with different account issues/statuses to potentially be able to use the contact system (such as in the case of an incorrect rejection).

However, as a mitigation, we're now forcing CAPTCHA verification on the contact form if the account status is not valid. This should avoid the ability to completely automate spam on the contact form after you're logged in.
 
Mike said:
So we have just made a tweak here, though in terms of what's being reported, I think we'd consider it as designed: we want users with different account issues/statuses to potentially be able to use the contact system (such as in the case of an incorrect rejection).
Click to expand...
I strongly disagree here. If a permission is set to never for a specific user (not a usergroup), that permission really should determine what the user cannot do.

I've therefore posted a suggestion to change this behaviour:
xenforo.com

Lack of interest - Permission set to never for a specific user should force the user to never have that permission

Follow-up to https://xenforo.com/community/threads/rejected-user-can-use-contact-us-even-though-permission-is-set-to-never.180946/post-1458678 If a permission (like Can use contact us) is set to never for a specific user, that user should never be able to have that permission, no matter which...
xenforo.com xenforo.com

At least Analyze permissions should show the correct results.
 

Similar threads

K
Disabled accounts can still access ACP
Replies
0
Views
184
Kirby
K
MapleOne
Contact & Registration spam stopped almost 100% at zero cost
2
Replies
23
Views
1K
Zardoz43
Zardoz43
K
  • Suggestion Suggestion
Security Lock: User must contact Admin
2
Replies
23
Views
3K
Mr Lucky
Mr Lucky
securedme
Can I just allow certain nodes to use the tagging system?
Replies
4
Views
322
cwe
cwe
smozgur
Contact Us form - SPAM management
Replies
2
Views
1K
Kirby
K
Top Bottom