As with most applications that allow user interaction, there is always a small minority of users that does not play by the rules. Gallery admins therefore need a tool to get rid of the users who misbehaved. That is what the ban feature is meant to be used for.
For cpg1.5.x (in comparison to cpg1.4.x), the ban page has been overhauled to make it more useful, featuring pagination, multiple edits (instead of one row per edit), sorting, and the ability to ban by email address and also ban "in advance", i.e. ban user names that have not been registered yet.
You have to understand though that banning is not a tool to pro-actively secure your site against malevolent users. In fact, it is quite the opposite: it allows you to reduce the damage that could be caused by people who misbehave after they have done something wrong.
Banning is not the proper tool to fight spam - spammers will return with different accounts no matter how often you ban them. There are some others tools that work better against spammers (like captcha and comment moderation).
The "Ban users" page is of course admin-only. Non-admins can not access it.
How banning works
You can enter ban records on the "Ban users" page that can be accessed using the corresponding link in your admin menu (when you are logged in as admin).
It makes some sense to ban users by user name and email address, but it usually is not recommended to ban by IP address.
A ban record can contain a ban by user name, by email address and by IP address.
If you ban by user name and that user already exists in your gallery, the user is banned immediately - no matter what Coppermine page he is trying to visit. If you ban a user name that does not exist yet, the record is accepted as well: this is meant to reserve user names that you do not want your visitors to use when registering: it might be a good idea to ban user names that malevolent users might use to make others believe that they have a particular role on your site: usually, you would want to disallow your users to use names like "admin", "administrator", "moderator", "root" etc. Of course those would just be names and no special privileges would come with those names, but others might get the impression that the user who has chosen the name "admin" actually was the real admin of your gallery.
Bans on email addresses are not immediately taken into account: if you ban an email address that one of your registered users is already using, that user will not automatically be banned (use the ban by user name feature instead). The ban-by-email feature is only taken into account on the registration page: no one can register using the email addresses that have been banned.
Why banning by IP address is not recommended
One might think that banning by IP address is the most effective way to ban a user for good and avoid re-registration using another user name and email address. However, this is not the case: although the average user does not have control over his own IP address, banning by IP address usually is a lame crutch. Only use banning by IP address if you notice abuse frequently coming from the same IP address.
The main reasons why banning by IP address is not recommended:
IP addresses get assigned dynamically to end users with each surfing session
IP addresses get assigned to end users by their ISP each time they connect to the internet, no matter if they use DSL, cable, modem or another method to connect. The ISP may or may not assign the same IP address they used to have in a previous session, but from time to time the IP address that gets assigned to end users usually will change.
Legitimate visitors of your page might get locked out
As suggested above, IP addresses get assigned by ISPs. If you ban a user by IP address, that user might get another IP address during his next session. The IP address you originally banned might then get assigned by the ISP to another user who has not done anything wrong, yet the ban by IP then affects him - he is locked out of your site and does not even have a chance to complain.
Spammers use bots
Usually, spammers do not use their own PCs to drop their unwanted messages, but they control others' computers or servers, using trojan horses (so-called "bots"). Those zombie PCs do their task of dropping spam without the owner being aware of it. If you ban such a zombie PC, another PC that is under the control of the spammer will take over the job of spamming your site. The spammers often have control over bot farms that contain hundreds or even thousands of computers that were hijacked. Trying to ban one PC by IP address that is member of a bot net is a futile task.
IP addresses can be spoofed
Regular users usually do not have the skills to manipulate their IP address. However, hackers know how to do that. Spammers might hire hackers or buy spoofing applications from obscure sources to manipulate their IP address. As a result, if you ban someone like that by IP address, the forged IP address will just change. Similar to the attacks by bot nets, there is little you can do against that.
People use anonymization proxies
There is a growing number of people who are using anonymizing proxies to surf the web in a more secure manner. If you ban one user who accessed your site while using an anonymization proxy, you ban all users using that service, which could be millions. You certainly would not want that to happen.
The "Ban users" page consists of the following controls:
Statistics and filtering information
The first actual row of the table (after the heading) contains statistical data about the total number of bans and the number of total pages. If there are more ban records than the set maximum per page (25), a pagination tab will be displayed at the right that allows you to jump to previous and next pages.
The identical row is being displayed at the bottom of the table again to allow easier navigation between tabs.
The Ban ID column can be sorted ascending or descending, using the small up and down arrows in the column heading. The ban ID can not be edited - a new ban ID is being created for each ban record the admin enters. As the Ban ID increases with each record, sorting the entire table by Ban ID will result in a table sorted by creation time of the ban.
The column "Delete" contains checkboxes for each ban record - if you want to delete a ban (i.e. un-ban the user), simply tick the corresponding checkbox and submit the form using the "OK"-button at the bottom.
If a ban record is set to expire and the expiry date has passed, the corresponding expired ban record will be tagged with the word "Expired" in the "Delete"-column to alert the admin of those expired bans unless you have enabled the config option "Automatically purge expired bans".
The column "User Name" can be sorted in ascending or descending order, using the little arrow icons in the column header cell. The column displays the ban-by-username field for a ban record. A user name that actually exists in Coppermine's user table will show a user icon next to the user name field that can be clicked to go to the corresponding user's profile. Bans by user name that actually have an impact (i.e. that keep an existing user from viewing the gallery or doing anything else) will have the view profile link next to them. Ban records that have been created "in advance" (to reserve a particular user name to make sure users do not register using that name) without corresponding to an existing account will not display the view profile icon next to them. If you delete a user, the view profile link will of course go away as well. The correlation between a ban by user name and an existing account will be checked each time the "Ban users" page is accessed.
The column "Email Address" can be sorted in ascending or descending order, using the little arrow icons in the column header cell. The column displays the ban-by-email-address field for a ban record. The ban-by-email feature is only taken into account on Coppermine's registration screen. It is invalid when Coppermine is bridged.
Currently, wildcards or placeholders can not be used when banning by email address, so there is no option to ban the usage of throw-away email addresses by domain.
The column "IP Address" can be sorted in ascending or descending order, using the little arrow icons in the column header cell. The column displays the ban-by-IP-address field for a ban record. Banning by IP address is not recommended (see Why banning by IP address is not recommended )
Currently, you can only specify single IP addresses. You can not specify entire IP address ranges. Advanced notations are currently not supported, nor is the use of wildcards supported.
Add New Ban
Use the fields in the row "Add New Ban" to create a new ban record. A new ban record can contain user name, email address and IP address and can have an expiry date, but it does not need to contain all three of those ban mechanisms - only one field needs to be populated to create a ban record.
When creating a ban record you have the option to delete all comments posted by the banned user (when banning by user name).
Look up an IP address
Below the banning table you will find another form that allows you to look up a particular IP address. This can be helpful to determine whether an IP address belongs to an ISP or if it is a static IP address that is worth banning by IP
Please keep in mind that the target of the IP address lookup will lead you to a third party web site. The Coppermine dev team can not be held responsible for the content of that third party page. The IP lookup field is being provided as a courtesy to end users with no guarantees. It might not be available if the third party site changes their site design or lookup policy.
No banning when bridged
Please note that banning does not make much sense if you have bridged Coppermine with another application (see "Bridging"), as in that case Coppermine drops the user management of its own and instead uses the user management of the app it is being bridged with. That is why the admin menu item "Ban users" is being deliberately hidden when you have bridged your gallery. You can still access the "Ban users" page if you must by manually entering the URL of that page into the address bar of your browser (e.g. http://yoursite.tld/your_coppermine_folder/banning.php - there will be a warning on the "Ban users" page; use the feature carefully and at your own risk when bridged.
Most applications that can be bridged with Coppermine have banning mechanisms of their own, so if your gallery is bridged, you should use your bridging application's banning mechanism instead of the one that ships with Coppermine.
There is a number of features that have not made it into the current release; among them is the ability to use wildcards for bans: ideally, you could ban entire IP address ranges or entire email domains. Currently, this is not possible. You are welcome to review Coppermine's core code and contribute your code change suggestions.