Changeset 12666

Timestamp:

06/16/2020 04:31:11 AM (11 months ago)

Author:

r-a-y

Message:

Members: When marking a user as a spammer, do not mark sites as spam if the site has more than one administrator.

Previously on a multisite install, we would mark all the spammer's
sites as spam. This is pretty aggressive and could unintentionally
mark legitmiate sites as spam as well.

To address this, we now only mark a site as spam if the spammer is the
sole administrator of the site.

Fixes #8316 (for 6.0 branch).

Location:

branches/6.0

Files:

• src/bp-members/bp-members-functions.php (modified) (1 diff)
• tests/phpunit/testcases/members/functions.php (modified) (1 diff)

branches/6.0/src/bp-members/bp-members-functions.php

@@ -693 +693 @@
     if ( $do_wp_cleanup ) {
 
-        // Get the blogs for the user.
-        $blogs = get_blogs_of_user( $user_id, true );
-
-        foreach ( (array) array_values( $blogs ) as $details ) {
-
-            // Do not mark the main or current root blog as spam.
-            if ( 1 == $details->userblog_id || bp_get_root_blog_id() == $details->userblog_id ) {
-                continue;
+        // Mark blogs as spam if the user is the sole admin of a site.
+        if ( is_multisite() ) {
+            /*
+             * No native function to fetch a user's blogs by role, so do it manually.
+             *
+             * This logic is mostly copied from get_blogs_of_user().
+             */
+            $meta = get_user_meta( $user_id );
+
+            foreach ( $meta as $key => $val ) {
+                if ( 'capabilities' !== substr( $key, -12 ) ) {
+                    continue;
+                }
+                if ( $wpdb->base_prefix && 0 !== strpos( $key, $wpdb->base_prefix ) ) {
+                    continue;
+                }
+                $site_id = str_replace( array( $wpdb->base_prefix, '_capabilities' ), '', $key );
+                if ( ! is_numeric( $site_id ) ) {
+                    continue;
+                }
+
+                $site_id = (int) $site_id;
+
+                // Do not mark the main or current root blog as spam.
+                if ( 1 === $site_id || bp_get_root_blog_id() === $site_id ) {
+                    continue;
+                }
+
+                // Now, do check for administrator role.
+                $role = maybe_unserialize( $val );
+                if ( empty( $role['administrator'] ) ) {
+                    continue;
+                }
+
+                // Check if the site has more than 1 admin. If so, bail.
+                $counts = count_users( 'time', $site_id );
+                if ( empty( $counts['avail_roles']['administrator'] ) || $counts['avail_roles']['administrator'] > 1 ) {
+                    continue;
+                }
+
+                // Now we can spam the blog.
+                update_blog_status( $site_id, 'spam', $is_spam );
             }
-
-            // Update the blog status.
-            update_blog_status( $details->userblog_id, 'spam', $is_spam );
         }
 

branches/6.0/tests/phpunit/testcases/members/functions.php

@@ -538 +538 @@
         $this->assertSame( 'bp_make_ham_user', $this->filter_fired );
 
+    }
+
+    /**
+     * @group bp_core_process_spammer_status
+     * @ticket BP8316
+     */
+    public function test_bp_core_process_spammer_status_ms_should_only_spam_sites_with_one_admin() {
+        if ( ! is_multisite() ) {
+            $this->markTestSkipped();
+        }
+
+        $u1 = self::factory()->user->create();
+        $u2 = self::factory()->user->create();
+
+        $b1 = self::factory()->blog->create( array( 'user_id' => $u1 ) );
+
+        // Add user 2 to site as administrator.
+        add_user_to_blog( $b1, $u2, 'administrator' );
+
+        // Mark user 2 as a spammer.
+        bp_core_process_spammer_status( $u2, 'spam' );
+
+        // Ensure site isn't marked as spam because there is more than one admin.
+        $site = get_site( $b1 );
+        $this->assertEmpty( $site->spam );
     }