Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Cannot Reproduce
-
3.0.8
-
None
-
PHP 5.3.5, MySQL 5.1.50, Linux 2.6.33-gentoo-r2
Description
ACP has New member post limit=1 and Can post without approval=Never for the Newly registered users group. Most of the time a new post goes into the approval queue but last night a spammer made 2 posts which were publicly viewable without waiting for moderator approval.
I created a number of test users and found that the only circumstance where a post was added to the approval queue was when the user name and email address had never been previously used. Repeat use is possible as we have a policy of deleting spammers to prevent them from cluttering up the membership list. Obvious spambot user name patterns are wildcard disallowed, but otherwise we don't normally bother.
Here's a summary of the test sequence I followed:
Name #1 + email #1, post requires approval, user deleted
Name #1 + email #1, post publicly viewable, user deleted
Name #1 + email #2, post publicly viewable, user deleted
Name #2 + email #1, post publicly viewable, user deleted
Name #3 + email #3, activated, user deleted
Name #3 + email #3, post publicly viewable, user deleted
Name #4 + email #4, inactive, user deleted
Name #4 + email #4, post publicly viewable, user deleted