MyBB Community Forums

Full Version: Is it possible to prevent password recovery for a given user
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi,

I have a MyBB installation where I need to prevent some users from recovering passwords, as strange as it may sound. There is someone "targeting" one user by constantly pressing the recover password option and thus spamming the user's e-mail account. Since I don't want to block every user I was thinking if it is possible to create a plugin that given a user ID will cancel the request password action.

I've found nothing in the documentation I read about plugins being able to cancel MyBB's actions so is what I'm thinking possible? I have no problems with developing the plugin myself, it's just that I never created plugins for MyBB before and couldn't really find info on this particular use case.

I'm running the latest 1.6.x version, and if you have any suggestions on how to solve the issue I'm all ears Smile

Regards,

Knitter
Using the MyPermissions plugin you can block groups the use of any mybb action (file.php?action=lostpass_do I think it is)

You just create a new group and move all users to that specific group (maybe it works moving them as a secondary group).

That is the easiest way that I can think of, without creating a plugin.

http://mods.mybb.com/view/my-permissions
Thanks, I'll have to look closely at that plugin since if offers more than what I need/want, but it may be the best option for an immediate "solution".
(2011-09-30, 04:01 PM)Knitter Wrote: [ -> ]Hi,

I have a MyBB installation where I need to prevent some users from recovering passwords, as strange as it may sound. There is someone "targeting" one user by constantly pressing the recover password option and thus spamming the user's e-mail account. Since I don't want to block every user I was thinking if it is possible to create a plugin that given a user ID will cancel the request password action.

I've found nothing in the documentation I read about plugins being able to cancel MyBB's actions so is what I'm thinking possible? I have no problems with developing the plugin myself, it's just that I never created plugins for MyBB before and couldn't really find info on this particular use case.

I'm running the latest 1.6.x version, and if you have any suggestions on how to solve the issue I'm all ears Smile

Regards,

Knitter

sounds like your solution should be to ban the offending user and his/her IP and email. harassing other users and abusing your site, should be grounds for ban
pavemen may be right, if the user doesn't offer quality content, or content at all, banning him may be the best of all solutions Smile

Anyways, the plugin I mentioned extends the groups options by much, even if you don't use it for this.
(2011-09-30, 06:44 PM)pavemen Wrote: [ -> ]sounds like your solution should be to ban the offending user and his/her IP and email. harassing other users and abusing your site, should be grounds for ban
Problem is, none of my users are doing anything wrong. It's not a forum user that is causing problems, it's a forum user that is being targeted.

Anyone can click the recover password option and input an e-mail address. Imagine what would happen if I created a bot to constantly request password recoveries for a random user of this forum. It wouldn't be that user's fault Smile

I've tried the plugin but I think I configured it the wrong way, I'l have to look at it again since I just remembered that I may have made a mistake while writing this Smile.

My problem is how to prevent my system from being exploited by someone and used as SPAM tool since the actions being used are legit.

P.S: I don't know why but there was no notification about the two replies , though I have the option to receive e-mail notifications, both as default in my profile and in the local thread subscription options.

Hum... not, it seems like I either can't configure this thing properly or MyBB/MyPermissions doesn't allow for what I'm trying to achieve.

I configured the plugin for the file member.php, action do_lostpw, and the user group ID is correct. Still a user in that group can easily have a request for it's password to be recovered, thus it's possible to keep spamming my forum users Sad.

As for banning the IP, if the person that is requesting the password recoveries isn't a user and doesn't log in I have some trouble finding the correct IP. Add to that the an IP, normally, is not static and can be easily changed, the IP banning option is not very good Sad
Try disabling the action "lostpw".

Also, try it yourselft to check that it is not cloking the action to that group.
I've tried that option, it was actually the first one I tried and that made me thing I had it wrong since that action is what shows the recovery password page.

I'm thinking that those actions don't validate or even check the user's group, just look for the e-mail and send the messages if the e-mail was found. At least it makes sense that MyBB doesn't check anything else since the operation is normally done by users that are logged out and there is little reason to do any other validation.

I'll probably try to create my own plugin for this peculiar situation.

Thanks,

Knitter
Can you print the options you are entering?

Because I had have checked it and it allows me to disable the do_lostpw action from the member.php file