BuddyDev

Search

[Resolved] Suspended users able to access information through API if already logged in

  • Participant
    Level: Enlightened
    Posts: 72
    Nifty on #43066

    Hi,

    We have an app that uses the BuddyPress API and uses JWT to authenticate (if this matters). When users are suspended using the BuddyPress Moderation Tools plugin, the website responds correctly by logging out the user, blocking interaction, etc. However, when a user is logged in already through the API and they are suspended, they can continue to use the API (mostly normally, like to browse and message users who are then notified by email of the message).

    Is it possible to add a check to see if the user is suspended through the API, or even for the API response to change (such as a specific error)? We can then tailor the response accordingly, such as logging the user out if that reply is received. Something similar to how the BuddyPress Block Users plugin works to block message sending, etc through the API would be awesome!

    Thank you and looking forward to hearing from you 🙂.

  • Keymaster
    (BuddyDev Team)
    Posts: 24577
    Brajesh Singh on #43080

    Hi Nifty,
    Thank you for reporting the issue.

    We logout the user and clear all their sessions(managed by WordPress) on suspension. It seems that the JWT auth plugin might be managing their own token that needs to be invalidated. We will look into it and add the support within a week if doable.

    Regards
    Brajesh

  • Participant
    Level: Enlightened
    Posts: 72
    Nifty on #43088

    Hi Brajesh,

    Thank you for your reply and looking into this! 🙂

    If it’s any help, we are using the “JWT Authentication for WP REST API” plugin by Enrique Chavez (https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/).

    Thanks again.

  • Keymaster
    (BuddyDev Team)
    Posts: 24577
    Brajesh Singh on #43094

    Hi Nifty,
    Thank you.

    that will certainly help.

    Regards
    Brajesh

  • Keymaster
    (BuddyDev Team)
    Posts: 24577
    Brajesh Singh on #43146

    Hi Nifty,
    Thank you for the patience.

    The JWT plugin uses determine_current_user hook to mark a user as logged and the plugin does not give us any option to check for external conditions. Our only solution is to hook to the same filter at a lower priority. I am not very comfortable with this idea as a general solution.

    Still, you can put this code and it will work.

    
    /**
     * Disallow current to be accepted as logged if they are suspended.
     */
    add_filter( 'determine_current_user', function ( $user_id ) {
    
    	if ( ! $user_id || ! function_exists( 'bpmts_is_user_suspended' ) ) {
    		return $user_id;
    	}
    
    	if ( bpmts_is_user_suspended( $user_id ) ) {
    		return false;
    	}
    
    	return $user_id;
    }, 100 );
    
    

    Regards
    Brajesh

  • Participant
    Level: Enlightened
    Posts: 72
    Nifty on #43213

    Hi Brajesh,

    Thank you for your time and the solution. It does work, when added to the bp-custom.php file, and is working as we hoped it would.

    Thanks again! 🙂

  • Keymaster
    (BuddyDev Team)
    Posts: 24577
    Brajesh Singh on #43222

    Thank you.
    I am glad it worked.

    Regards
    Brajesh

The topic ‘ [Resolved] Suspended users able to access information through API if already logged in’ is closed to new replies.

This topic is: resolved