-
- 42 Posts
Can someone explain me what is the difference between user being inactive and blocked? Theoretically and according to the MODX guide, both user being blocked or user having active status set to 0, prevents him from logging in. Therefore I wanted to ask what is the practical difference between these two?
Thanks!
-
- 5,888 Posts
I think this should explain the difference.
From core/model/modx/processors/security/login.php:
if (!$user->get('active')) {
return $modx->error->failure($modx->lexicon('login_user_inactive'));
}
foreach ($user->UserSettings as $settingPK => $setting) {
$sname= $setting->get('key');
$$sname= $setting->get('value');
}
if ($user->Profile->get('failed_logins') >= $modx->getOption('failed_login_attempts') && $user->Profile->get('blockeduntil') > time()) {
return $modx->error->failure($modx->lexicon('login_blocked_too_many_attempts'));
}
if ($user->Profile->get('failedlogincount') >= $modx->getOption('failed_login_attempts')) {
$user->Profile->set('failedlogincount', 0);
$user->Profile->set('blocked', 1);
$user->Profile->set('blockeduntil', time() + (60 * $modx->getOption('blocked_minutes')));
$user->Profile->save();
}
if ($user->Profile->get('blockeduntil') != 0 && $user->Profile->get('blockeduntil') < time()) {
$user->Profile->set('failedlogincount', 0);
$user->Profile->set('blocked', 0);
$user->Profile->set('blockeduntil', 0);
$user->Profile->save();
}
if ($user->Profile->get('blocked')) {
return $modx->error->failure($modx->lexicon('login_blocked_admin'));
}
if ($user->Profile->get('blockeduntil') > time()) {
return $modx->error->failure($modx->lexicon('login_blocked_error'));
}
if ($user->Profile->get('blockedafter') > 0 && $user->Profile->get('blockedafter') < time()) {
return $modx->error->failure($modx->lexicon('login_blocked_error'));
}
'active' is a more general setting
'blocked' is normally a result of to much failed logins and works together with 'blockeduntil'
-
- 42 Posts
Thanks, that explains the difference. As I have looked trough the core and settings, it seems that activating and deactivating user is an easy process meant to be reversible, while blocking takes more actions to unblock and restore user privileges.
-
- 24,544 Posts
I think it's more correct to say that blocked is meant to be time-based. It blocks a user with x number of failed login attempts (settable) for a certain amount of time (also settable) and then unblocks them automatically when the time is up. It's main purpose is to prevent brute-force login hacking. You can use it for something else if you want to, but I'd recommend not messing with it except to set the number of failed logins and the time the user will be blocked.
Active is a manual setting that won't change unless it is altered by code or by a Manager user. It can be used for whatever you want, keeping in mind that non-active users normally can't log in.
The Register and Subscribe snippets, for example, create users and save all their data, but with the 'active' field set to 0. When the user responds to the activation email, the user's 'active' field is set to 1.
