Make sure no more than set in preferences authentication failures are

saved. Add comment.

Make sure no more than set in preferences authentication failures are
saved. Add comment.
7dd043a7 · Ivan Tyagov · 8e37853d · 7dd043a7 · 7dd043a7
Commit 7dd043a7 authored Jul 21, 2011 by Ivan Tyagov
Showing with 6 additions and 0 deletions

product/ERP5/tests/testAuthenticationPolicy.py product/ERP5/tests/testAuthenticationPolicy.py +5 -0

product/ERP5Security/ERP5UserManager.py product/ERP5Security/ERP5UserManager.py +1 -0

No files found.
--- a/product/ERP5/tests/testAuthenticationPolicy.py
+++ b/product/ERP5/tests/testAuthenticationPolicy.py
@@ -110,6 +110,11 @@ class TestAuthenticationPolicy(ERP5TypeTestCase):
    # file two more failures so we should detect and block account
    self.assertEqual(2, len(person.notifyLoginFailure()))
    self.assertEqual(3, len(person.notifyLoginFailure()))
+    
+    # we do not need to store more than max allowed failures so check it here
+    # this way a bot can not brute force us by filling up session storage backend
+    for i in range (0, 1000):
+      self.assertEqual(3, len(person.notifyLoginFailure()))

    #import pdb; pdb.set_trace()
    self.assertTrue(person.isLoginBlocked())

--- a/product/ERP5Security/ERP5UserManager.py
+++ b/product/ERP5Security/ERP5UserManager.py
@@ -179,6 +179,7 @@ class ERP5UserManager(BasePlugin):
          return authentication_result
        
        # authentication policy enabled, we need person object anyway
+        # XXX: every request is a MySQL call
        user_list = self.getUserByLogin(credentials.get('login'))
        if not user_list:
          # not an ERP5 Person object