Log all 'locked out' failures

[Starpaul20]

If locked out of the Admin CP due to bad password, log these failures.

[euantorano]

THis should be an easy one, so I'll stake claim to it early 😆

[euantorano]

Started work in #861. Need to test locally.

[euantorano]

Ok, that seems to work for me locally. The log entry is pretty basic in the form as follows:

    Administrator login attempt for user ID 1 locked out from IP address ::1.

[euantorano]

This should be done if somebody from SQA could test?

[JordanMussi]

Can I also suggest logging what user was logged into the frontend at that time as well as the admin account attempting to be logged into?

[euantorano]

That's odd. I'll have to test again, though it might require a mod to the function logging admin actions.

[Sama34]

4651dfb should fix the SQL error.

I suppose $mybb->user['uid'] will not be defined if the user is trying to log-in.

@euantorano simply pass the data to the log_admin_action() function and format it in the administrator logs page (:

[euantorano]

Nice one, cheers Omar. I'll look at it ASAP.

On 13 Jul 2014, at 21:08, Omar Gonzalez notifications@github.com wrote:

4651dfb should fix the SQL error.

I suppose $mybb->user['uid'] will not be defined if the user is trying to log-in.

@euantorano simply pass the data to the log_admin_action() function and format it in the administrator logs page (:

—
Reply to this email directly or view it on GitHub.

[euantorano]

@JordanMussi, the patch by @Sama34 fixes the issue. Could you please pull and test again? I've also simplified the log string rather than duplicating the IP info.

[JordanMussi]

Yeah it works...

My suggestions... 👅

• The format for other logging strings is Edited user #2 (Test), Activated user #2 (Test) etc. so you should probably do: Administrator login attempt for user #{1} ({2}) locked out. (1 replaced with id and 2 with the username)
• User attached to the log (for the username column of the logs table) should be of the logged in user in the frontend or none if it is a guest...

[euantorano]

Should already do #2. The username is fetched in the log_admin_action() function.

On 16 Jul 2014, at 21:07, Jordan Mussi notifications@github.com wrote:

Yeah it works...

My suggestions...

The format for other logging strings is Edited user #2 (Test), Activated user #2 (Test) etc. so you should probably do: Administrator login attempt for user #{1} ({2}) locked out. (1 replaced with id and 2 with the username)
User attached to the log (for the username column of the logs table) should be of the logged in user in the frontend or none if it is a guest...
—
Reply to this email directly or view it on GitHub.

[JordanMussi]

I don't fully follow... It doesn't look like you've done that in #861...

[euantorano]

If the user has a front-end login, it will show the username. If they aren't logged in on the front-end, it won't.

I'll capture a screenshot tonight.

[JordanMussi]

Really? Are you sure you've pushed that code?

[euantorano]

Pretty sure. Last I checked log_admin_action does it all.

On 17 Jul 2014, at 19:25, Jordan Mussi notifications@github.com wrote:

Really? Are you sure you've pushed that code?

—
Reply to this email directly or view it on GitHub.

[JordanMussi]

log_admin_action takes the currently logged in admin. Since it logs when there is no admin logged in there is nothing to capture...

[euantorano]

Are you sure? Line 30/31 of admin/inc/functions.php:

$log_entry = array(
    "uid" => (int)$mybb->user['uid'],

Surely that'll grab the current user ID? I'm sure my local install had a currently logged in user. I didn't get a chance to screenshot last night but will tonight.

[JordanMussi]

Yes but look at admin/index.php line 169
That replaces the $mybb->user with the user that is being attempted to be logged in to.

Also at line 302 $mybb->user doesn't seem to be set...

[euantorano]

Ah, in which case I'll have to create a temporary $front_end_user variable and assign it, but the actual display of the action will still be off :(

[euantorano]

To add the user details properly, I'm going to have to change quite a lot of stuff in admin/index.php. WHat does everybody else think? In the interests of moving on, I think it's probably passible as is. @mybb/developers...

[euantorano]

Also, this is how the logs currently look...

[Starpaul20]

Couldn't you just use the user id of the user being locked out?

[Sama34]

Or use "Guest" as the username.

"euan" should be formatted in the first line. Don't we do this with other logs (formatting usernames in the details, if not then ignore me)?

[JordanMussi]

The username column should contain the frontend user attempting to login (not necessarily the admin account that is being entered into the admin login form) but if it requires a lot of effort I'm happy to skip.

@euantorano, you haven't committed the part where is also adds the username to the log language line.

[euantorano]

I'm pretty sure I did commit that Jordan. I'd say we call this complete for now in the interest of hitting Beta 3. I can always enhance it later.

[JordanMussi]

Damn, my bad. I didn't see a notification of the commit. 👅

[euantorano]

😉

[Sama34]

I don't think this was meant to be closed?

[DiogoParrinha]

@euantorano

[euantorano]

@PirataNervo See this: http://community.mybb.com/thread-155809-post-1087393.html#pid1087393

Pretty much sums up where I'm at with this.

[DiogoParrinha]

Merged then. A new issue should be opened to correct that.

[euantorano]

Yes, can wait till 1.8.0.