invis.net

WP fail2ban breaks users capabilities

Today we noticed that users which are member of the group “Authors” cannot access “Posts” anymore. When clicking on “Posts”, instead of the list of Posts they got “Forbidden”. It did not affect users without own posts, but as soon they created a post, or someone changed the author of a post to their name, the post-list became “Forbidden.”
Users of groups including the capability “edit_others_posts” were not affected and after adding the capability “edit_others_posts” to the group “Authors” the problem was gone. As this is not an acceptable solution i was looking further, and it showed that:

  • removing: define('WP_FAIL2BAN_BLOCK_USER_ENUMERATION',true); from wp-config.php
    or (obviously)
  • deactivating WP fail2ban

instantly fixes the problem.

this is a multisite installation, WP fail2ban is activated network-wide.

1 Like

Yes, it looks like WP changed something recently that breaks this; ClassicPress still works as before.

For now you can change line 59 in features/user-enum.php:

if (!is_admin() &&
    !current_user_can('edit_others_posts') &&
    intval(array_value('author', $query->query_vars)))
{

However, until I’ve looked through the WP changes I’m not sure that’s the best solution - it should get things working for you for now though.

great, thx alot for your support!

I’ve just released 4.3.0.6 which fixes this properly - it’d be great if you could let me know how you get on.

great! thank you very much, works like a charm !

Commentary: issue possibly not fixed.

I’m new to WP Fail2ban; installed 4.3.0.6 a couple of days ago (Wordpress (multisite): 5.4.2, PHP-fpm: 7.4). I enabled WP_FAIL2BAN_BLOCK_USER_ENUMERATION and I was locked out next time I tried to log in (my account is an administrator). Attempting to log in resulted in (oh, can’t remember now) a mostly blank page with something like “Failure…”

Removed the define() and could log in again.

i was not able to reproduce your behaviour. just logged in without problems, as normal user, as superadmin, from different devices. i also have enabled WP_FAIL2BAN_BLOCK_USER_ENUMERATION.

i will keep you updated, if other users report problems.

3 posts were split to a new topic: Issues with Gutenberg and blocking user enumeration