Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIX mark a successful login attempt when completing a password reset #11176

Merged
merged 1 commit into from
Jun 5, 2024

Conversation

wilr
Copy link
Member

@wilr wilr commented Mar 14, 2024

Description

See issue #10100

Manual testing steps

  • Lock yourself out of a site (5 password fails)
  • Reset your password via 'Forgot Password'
  • Password reset fails as user is 'Locked out'

Issues

Pull request checklist

  • The target branch is correct
  • All commits are relevant to the purpose of the PR (e.g. no debug statements, unrelated refactoring, or arbitrary linting)
    • Small amounts of additional linting are usually okay, but if it makes it hard to concentrate on the relevant changes, ask for the unrelated changes to be reverted, and submitted as a separate PR.
  • The commit messages follow our commit message guidelines
  • The PR follows our contribution guidelines
  • Code changes follow our coding conventions
  • This change is covered with tests (or tests aren't necessary for this change)
  • Any relevant User Help/Developer documentation is updated; for impactful changes, information is added to the changelog for the intended release
  • CI is green

Copy link
Member

@GuySartorelli GuySartorelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry it's taken so long to review this.

Looks sensible to me, but it should be conditional against Security::config()>get('login_recording') - see MemberAuthenticator::recordLoginAttempt()

@wilr
Copy link
Member Author

wilr commented Jun 5, 2024

@GuySartorelli Looking at that, if you make it conditional then you would still hit the issue if you had login_recording set to false, but lock_out_after_incorrect_logins set to true.

@GuySartorelli
Copy link
Member

I'm okay with it being conditional against both of those, if that's the case. Though my understanding is that this bug can't happen if login_recording is set to false, because it won't be writing any login attempt records at all.

@wilr wilr force-pushed the fix/reset-password-lockout branch from 75c1f67 to 9361382 Compare June 5, 2024 23:43
@wilr
Copy link
Member Author

wilr commented Jun 5, 2024

@GuySartorelli updated accordingly!

Copy link
Member

@GuySartorelli GuySartorelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for making that change so quickly.

@GuySartorelli GuySartorelli merged commit 64ac096 into silverstripe:5 Jun 5, 2024
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants