ERP5Security: Do not call notifyLoginFailure multiple times.

f3dc7d8b · Yusei Tahara · Vincent Pelletier · e9531ee8 · f3dc7d8b
Commit f3dc7d8b authored May 11, 2022 by Yusei Tahara Committed by Vincent Pelletier Sep 27, 2022
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

product/ERP5Security/ERP5LoginUserManager.py product/ERP5Security/ERP5LoginUserManager.py +6 -1

No files found.
--- a/product/ERP5Security/ERP5LoginUserManager.py
+++ b/product/ERP5Security/ERP5LoginUserManager.py
@@ -27,6 +27,7 @@
 ##############################################################################
 from functools import partial
 from Products.ERP5Type.Globals import InitializeClass
+from Products.ERP5Type.TransactionalVariable import getTransactionalVariable
 from AccessControl import ClassSecurityInfo
 from AccessControl.AuthEncoding import pw_validate
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
@@ -132,7 +133,11 @@ class ERP5LoginUserManager(BasePlugin):
          or login_password is None
          or not pw_validate(login_password, password)):
        if is_authentication_policy_enabled:
+          tv = getTransactionalVariable()
+          login_failure_key = 'notified_login_failure_' + login_value.getRelativeUrl()
+          if tv.get(login_failure_key) is None:
            login_value.notifyLoginFailure()
+            tv[login_failure_key] = 1
        return
    if is_authentication_policy_enabled:
      if login_value.isPasswordExpired():