Skip to content
Permalink
Browse files

BUG Fix BasicAuth not resetting failed login counts on authentication

  • Loading branch information...
Damian Mooyman
Damian Mooyman committed Oct 24, 2014
1 parent 6683f3d commit 9d78eb7fe6f63eb1b630a032b2fba03eaa07b569
Showing with 58 additions and 20 deletions.
  1. +12 −3 security/Member.php
  2. +2 −0 security/MemberAuthenticator.php
  3. +28 −5 tests/security/BasicAuthTest.php
  4. +16 −12 tests/security/BasicAuthTest.yml
@@ -463,9 +463,7 @@ public function logIn($remember = false) {
}
// Clear the incorrect log-in count
if(self::config()->lock_out_after_incorrect_logins) {
$this->FailedLoginCount = 0;
}
$this->registerSuccessfulLogin();
// Don't set column if its not built yet (the login might be precursor to a /dev/build...)
if(array_key_exists('LockedOutUntil', DB::fieldList('Member'))) {
@@ -1560,6 +1558,17 @@ public function registerFailedLogin() {
}
}
}
/**
* Tell this member that a successful login has been made
*/
public function registerSuccessfulLogin() {
if(self::config()->lock_out_after_incorrect_logins) {
// Forgive all past login failures
$this->FailedLoginCount = 0;
$this->write();
}
}
/**
* Get the HtmlEditorConfig for this user to be used in the CMS.
@@ -73,6 +73,8 @@ protected static function authenticate_member($data, $form, &$success) {
if(!$success) {
if($member) $member->registerFailedLogin();
if($form) $form->sessionMessage($result->message(), 'bad');
} else {
if($member) $member->registerSuccessfulLogin();
}
return $member;
@@ -14,15 +14,14 @@ public function setUp() {
parent::setUp();
// Fixtures assume Email is the field used to identify the log in identity
self::$original_unique_identifier_field = Member::config()->unique_identifier_field;
Config::nest();
Member::config()->unique_identifier_field = 'Email';
Member::config()->lock_out_after_incorrect_logins = 10;
}
public function tearDown() {
Config::unnest();
parent::tearDown();
BasicAuth::protect_entire_site(false);
Member::config()->unique_identifier_field = self::$original_unique_identifier_field;
}
public function testBasicAuthEnabledWithoutLogin() {
@@ -104,7 +103,31 @@ public function testBasicAuthEnabledWithoutPermission() {
$_SERVER['PHP_AUTH_USER'] = $origUser;
$_SERVER['PHP_AUTH_PW'] = $origPw;
}
public function testBasicAuthFailureIncreasesFailedLoginCount() {
// Prior to login
$check = Member::get()->filter('Email', 'failedlogin@test.com')->first();
$this->assertEquals(0, $check->FailedLoginCount);
// First failed attempt
$_SERVER['PHP_AUTH_USER'] = 'failedlogin@test.com';
$_SERVER['PHP_AUTH_PW'] = 'test';
$response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');
$check = Member::get()->filter('Email', 'failedlogin@test.com')->first();
$this->assertEquals(1, $check->FailedLoginCount);
// Second failed attempt
$_SERVER['PHP_AUTH_PW'] = 'testwrong';
$response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');
$check = Member::get()->filter('Email', 'failedlogin@test.com')->first();
$this->assertEquals(2, $check->FailedLoginCount);
// successful basic auth should reset failed login count
$_SERVER['PHP_AUTH_PW'] = 'Password';
$response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');
$check = Member::get()->filter('Email', 'failedlogin@test.com')->first();
$this->assertEquals(0, $check->FailedLoginCount);
}
}
class BasicAuthTest_ControllerSecuredWithPermission extends Controller implements TestOnly {
@@ -1,15 +1,19 @@
Group:
mygroup:
Code: mygroup
mygroup:
Code: mygroup
Member:
user-in-mygroup:
Email: user-in-mygroup@test.com
Password: test
Groups: =>Group.mygroup
user-without-groups:
Email: user-without-groups@test.com
Password: test
user-in-mygroup:
Email: user-in-mygroup@test.com
Password: test
Groups: =>Group.mygroup
user-without-groups:
Email: user-without-groups@test.com
Password: test
failed-login:
Email: failedlogin@test.com
Password: Password
FailedLoginCount: 0
Permission:
mycode:
Code: MYCODE
Group: =>Group.mygroup
mycode:
Code: MYCODE
Group: =>Group.mygroup

0 comments on commit 9d78eb7

Please sign in to comment.
You can’t perform that action at this time.