If you are running any kind of DotNetNuke website with public registration, you have probably had problem users. Users who write offensive comments, who troll, who spam, or even try to break into other user's accounts. We've all seen them, so what can we do in DotNetNuke to deal with them? It's not a situation that you want to be in, but you have to do something.
It turns out there is no "ban user" button in DotNetNuke. There is an "Unauthorize" button, but afterwards the user can just re-use the verification code they were sent in their welcome email. And then they are back in causing the same problems all over again.
There is a "Lock" field in the database, but you must open Sql Server Management Studio and manually set this to true. This is beyond the average DotNetNuke site admin who is not familar with SQL.
You could delete the user, but unless you had the "require unique email" setting in your web.config turned on when you installed DotNetNuke (if you didn't its too late to change it now), they can just register again with the same email.
Even if you do somehow manage to stop this person from logging on as one particular user, there is nothing in DotNetNuke to stop them from creating a new user account.
What you need to consider is banning by IP address. It's not an ideal situation, but it is a weapon that we have and you will need to use it sometimes.
But there is no obvious way to do this in DotNetNuke either, there is no ban IP button, no ban IP page, no nothing. DotNetNuke doesn't tell you what IP addresses a user has been logging in from, or how to ban that IP.
Luckily for you there is a way to ban an IP. But its hidden away, and awkward to use for the average DotNetNuke site owner.
To ban the IP address, you need to use the "request filter" setting on the host settings page. Obvious isn't it? This is a feature that was actually meant to do something else, it's just lucky that it happens to also allow for the banning of IP addresses. If it wasn't for this feature there would have been no way to ban an IP address.
So to ban an IP you need to add a new request filter with these options:
Variable: Remote_addr
Operation: Regex
Match: 1\.2\.3\.4 (put the correct IP address in here).
Action: Redirect
Location: http://www.example.com
You must be careful to get the options right. Request filters will cause severe problems when done incorrectly, so approach with extreme care.
So we've discovered that banning users and IP addresses is another area where DotNetNuke lets you down as a site administrator. You simply don't have the fine grained control over users that you need to have. And the one method that was accidently provided happens to be quite difficult to use.
What there should be is an page that lets you ban users, and another that lets you ban IP addresses. Then you can see the list of banned users or banned IPs in a nice easy to mange list, and you can easily add or remove users/IPs from that list. This is what we need to make it easier for a DotNetNuke site owner to deal with problem users..
I've got more to say on these hidden flaws in DotNetNuke coming up soon, so keep an eye open. If you've got concerns about security in DotNetNuke, send me an email or even a tweet to @bestwebsitesnz. I'd love to hear from you.