Add User lockout and user unlock options #2897
Conversation
… on the max login and unlock time settings
… more user friendly.
|
One thing to raise is that currently config settings are only saved if they already exist due to how the configurator works. This means that new installs will have the default config settings but upgrades may not be able to save the settings. We may need to add to the upgrade script to add these missing config settings. |
| return; | ||
| } | ||
| $this->bean->setPreference('user_locked_out', false); | ||
| $this->bean->setPreference('user_locked_out_time', ''); |
There was a problem hiding this comment.
needs to also reset the loginfailed preference
| @@ -122,6 +122,11 @@ function preDisplay() { | |||
| } | |||
| } | |||
| } | |||
| if(is_admin($current_user)){ | |||
There was a problem hiding this comment.
unnecessary should just be part of the above if statement which checks for the same
There was a problem hiding this comment.
The two checks above also check for if the user is editing their own record, this shouldn't matter since if the user is locked they wont be viewing their own record but seems safer to keep this check separate?
There was a problem hiding this comment.
yes but your inside that elseif check, so that is right I am talking about the if statement on line 111
There was a problem hiding this comment.
Ah, you're right. Fixed.
| @@ -83,6 +83,21 @@ public function SugarAuthenticate(){ | |||
| self::__construct(); | |||
| } | |||
|
|
|||
| private function isUserLockedOut(User $user){ | |||
| @@ -250,8 +250,41 @@ | |||
| {/if} | |||
| </table> | |||
|
|
|||
|
|
|||
|
|
|||
| <table id="userResetPassId" name="userResetPassName" width="100%" border="0" cellspacing="1" cellpadding="0" class="edit view"> | |||
There was a problem hiding this comment.
shows even when LDAP or SAML are selected, should be hidden, unless this support them??
| @@ -1270,5 +1270,9 @@ | |||
| 'LBL_AUTO_UNLOCK_TIME_UNITS' => 'minutes', | |||
| 'ERR_MAX_FAILED_LOGINS' => 'Please specify a valid value for the number of max failed logins', | |||
| 'ERR_AUTOMATIC_UNLOCK_TIME' => 'Please specify a valid value for the automatic unlock time', | |||
| 'LBL_ENABLE_MAX_FAILED_LOGINS' => 'Lock users after a number of failed logins', | |||
| 'LBL_ENABLE_MAX_FAILED_LOGINS_HELP' => '', | |||
mattlorimer
changed the base branch from
hotfix-7.6.x
to
feature/user_lockout
|
@Dillon-Brown I see this is merged in the feature branch. But what SuiteCRM release is this planned for? |
|
Hi @mattlorimer, We wanted to develop a solution similar to this one, but it looks there has been some validation work done here. What is the status of this PR? Is it merging to master soon? Although we haven't tested it yet, we could try to bring it up. |
Description
Provides admin settings for automatically locking users after a configurable amount of failed logins. Also provides admin users the ability to unlock locked users.
Also provides an admin setting for automatically unlocking users after a configurable amount of time.
Motivation and Context
Currently there is no limit to the number of login attempts that a user can make, this could in theory allow brute force attacks on the login screen. This PR allows an automated way of preventing this.
How To Test This
Setting the new maxfailedlogins config setting and deliberately failing to login, say, 3 times will prevent future logins until the user is unlocked on the user screen by an admin.
Setting the automaticunlocktime config setting however will unlock users x minutes after they are locked.
Types of changes
Final checklist