Commit 7dd043a7 authored by Ivan Tyagov's avatar Ivan Tyagov

Make sure no more than set in preferences authentication failures are

saved. Add comment.
parent 8e37853d
...@@ -111,6 +111,11 @@ class TestAuthenticationPolicy(ERP5TypeTestCase): ...@@ -111,6 +111,11 @@ class TestAuthenticationPolicy(ERP5TypeTestCase):
self.assertEqual(2, len(person.notifyLoginFailure())) self.assertEqual(2, len(person.notifyLoginFailure()))
self.assertEqual(3, len(person.notifyLoginFailure())) self.assertEqual(3, len(person.notifyLoginFailure()))
# we do not need to store more than max allowed failures so check it here
# this way a bot can not brute force us by filling up session storage backend
for i in range (0, 1000):
self.assertEqual(3, len(person.notifyLoginFailure()))
#import pdb; pdb.set_trace() #import pdb; pdb.set_trace()
self.assertTrue(person.isLoginBlocked()) self.assertTrue(person.isLoginBlocked())
......
...@@ -179,6 +179,7 @@ class ERP5UserManager(BasePlugin): ...@@ -179,6 +179,7 @@ class ERP5UserManager(BasePlugin):
return authentication_result return authentication_result
# authentication policy enabled, we need person object anyway # authentication policy enabled, we need person object anyway
# XXX: every request is a MySQL call
user_list = self.getUserByLogin(credentials.get('login')) user_list = self.getUserByLogin(credentials.get('login'))
if not user_list: if not user_list:
# not an ERP5 Person object # not an ERP5 Person object
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment