Remove "special" multisite spam check in the authentication API.

The spamming of a site no longer directly affects a user of said site. Moves the spam check to the wp_authenticate filter. Networks in need of enhanced spam-fighting should leverage this same technique. Allow is_user_spammy() to accept a WP_User object. props willnorris, brianhogg. fixes #24771. see #19714. git-svn-id: http://core.svn.wordpress.org/trunk@24848 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-07-29 03:23:51 +00:00 · 2013-07-29 03:23:51 +00:00 · 5c20d1eca1
parent cc4cedcf59
commit 5c20d1eca1
3 changed files with 29 additions and 19 deletions
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@ -299,4 +299,8 @@ add_action( 'admin_enqueue_scripts',     'wp_auth_check_load'   );
 add_filter( 'heartbeat_received',        'wp_auth_check', 10, 2 );
 add_filter( 'heartbeat_nopriv_received', 'wp_auth_check', 10, 2 );

+// Default authentication filters
+add_filter( 'authenticate', 'wp_authenticate_username_password',  20, 3 );
+add_filter( 'authenticate', 'wp_authenticate_spam_check',         99    );
+
 unset($filter, $action);
--- a/wp-includes/ms-functions.php
+++ b/wp-includes/ms-functions.php
@ -1705,14 +1705,17 @@ function fix_phpmailer_messageid( $phpmailer ) {
 * @since MU
 * @uses get_user_by()
 *
- * @param string $user_login Optional. Defaults to current user.
+ * @param string|WP_User $user Optional. Defaults to current user. WP_User object,
+ * 	or user login name as a string. 
 * @return bool
 */
-function is_user_spammy( $user_login = null ) {
-	if ( $user_login )
-		$user = get_user_by( 'login', $user_login );
-	else
-		$user = wp_get_current_user();
+function is_user_spammy( $user = null ) {
+    if ( ! is_a( $user, 'WP_User' ) ) {
+		if ( $user )
+			$user = get_user_by( 'login', $user );
+		else
+			$user = wp_get_current_user();
+	}

 	return $user && isset( $user->spam ) && 1 == $user->spam;
 }
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@ -89,19 +89,6 @@ function wp_authenticate_username_password($user, $username, $password) {
 	if ( !$user )
 		return new WP_Error( 'invalid_username', sprintf( __( '<strong>ERROR</strong>: Invalid username. <a href="%s" title="Password Lost and Found">Lost your password</a>?' ), wp_lostpassword_url() ) );

-	if ( is_multisite() ) {
-		// Is user marked as spam?
-		if ( 1 == $user->spam )
-			return new WP_Error( 'spammer_account', __( '<strong>ERROR</strong>: Your account has been marked as a spammer.' ) );
-
-		// Is a user's blog marked as spam?
-		if ( !is_super_admin( $user->ID ) && isset( $user->primary_blog ) ) {
-			$details = get_blog_details( $user->primary_blog );
-			if ( is_object( $details ) && $details->spam == 1 )
-				return new WP_Error( 'blog_suspended', __( 'Site Suspended.' ) );
-		}
-	}
-
 	$user = apply_filters('wp_authenticate_user', $user, $password);
 	if ( is_wp_error($user) )
 		return $user;
@ -140,6 +127,22 @@ function wp_authenticate_cookie($user, $username, $password) {
 	return $user;
 }

+/**
+ * For multisite blogs, check if the authenticated user has been marked as a
+ * spammer, or if the user's primary blog has been marked as spam.
+ *
+ * @since 3.7.0
+ */
+function wp_authenticate_spam_check( $user ) {
+	if ( $user && is_a( $user, 'WP_User' ) && is_multisite() ) {
+		$spammed = apply_filters( 'check_is_user_spammed', is_user_spammy(), $user );
+
+		if ( $spammed )
+			return new WP_Error( 'spammer_account', __( '<strong>ERROR</strong>: Your account has been marked as a spammer.' ) );
+	}
+	return $user;
+}
+
 /**
 * Number of posts user has written.
 *