New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add User lockout and user unlock options #2897
Add User lockout and user unlock options #2897
Conversation
… on the max login and unlock time settings
… more user friendly.
One thing to raise is that currently config settings are only saved if they already exist due to how the configurator works. This means that new installs will have the default config settings but upgrades may not be able to save the settings. We may need to add to the upgrade script to add these missing config settings. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally works well, a minor issue and few tweaks needed to be PSR 2 compliant
return; | ||
} | ||
$this->bean->setPreference('user_locked_out', false); | ||
$this->bean->setPreference('user_locked_out_time', ''); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs to also reset the loginfailed preference
@@ -122,6 +122,11 @@ function preDisplay() { | |||
} | |||
} | |||
} | |||
if(is_admin($current_user)){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unnecessary should just be part of the above if statement which checks for the same
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The two checks above also check for if the user is editing their own record, this shouldn't matter since if the user is locked they wont be viewing their own record but seems safer to keep this check separate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes but your inside that elseif check, so that is right I am talking about the if statement on line 111
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, you're right. Fixed.
@@ -83,6 +83,21 @@ public function SugarAuthenticate(){ | |||
self::__construct(); | |||
} | |||
|
|||
private function isUserLockedOut(User $user){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docblocks Comment missing
@@ -250,8 +250,41 @@ | |||
{/if} | |||
</table> | |||
|
|||
|
|||
|
|||
<table id="userResetPassId" name="userResetPassName" width="100%" border="0" cellspacing="1" cellpadding="0" class="edit view"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shows even when LDAP or SAML are selected, should be hidden, unless this support them??
@@ -1270,5 +1270,9 @@ | |||
'LBL_AUTO_UNLOCK_TIME_UNITS' => 'minutes', | |||
'ERR_MAX_FAILED_LOGINS' => 'Please specify a valid value for the number of max failed logins', | |||
'ERR_AUTOMATIC_UNLOCK_TIME' => 'Please specify a valid value for the automatic unlock time', | |||
'LBL_ENABLE_MAX_FAILED_LOGINS' => 'Lock users after a number of failed logins', | |||
'LBL_ENABLE_MAX_FAILED_LOGINS_HELP' => '', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Empty language string!
@Dillon-Brown I see this is merged in the feature branch. But what SuiteCRM release is this planned for? |
Hi @mattlorimer, We wanted to develop a solution similar to this one, but it looks there has been some validation work done here. What is the status of this PR? Is it merging to master soon? Although we haven't tested it yet, we could try to bring it up. |
Description
Provides admin settings for automatically locking users after a configurable amount of failed logins. Also provides admin users the ability to unlock locked users.
Also provides an admin setting for automatically unlocking users after a configurable amount of time.
Motivation and Context
Currently there is no limit to the number of login attempts that a user can make, this could in theory allow brute force attacks on the login screen. This PR allows an automated way of preventing this.
How To Test This
Setting the new maxfailedlogins config setting and deliberately failing to login, say, 3 times will prevent future logins until the user is unlocked on the user screen by an admin.
Setting the automaticunlocktime config setting however will unlock users x minutes after they are locked.
Types of changes
Final checklist