Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Part of #1775842: [meta] Convert all variables to state and/or config systems
The failed user login settings need to be converted to the new configuration management system
The variables are:
- user_failed_login_identifier_uid_only
- user_failed_login_ip_limit
- user_failed_login_ip_window
- user_failed_login_user_limit
- user_failed_login_user_window
Comments
Comment #1
kim.pepperFirst variable is user_failed_login_identifier_uid_only
Comment #2
aspilicious CreditAttribution: aspilicious commentedCan you explain what these variables do?
It's possible we need to find better names for them.
Comment #3
larowlanI think these are the flood settings for failed logins to prevent brute force password attempts.
There is no UI on core, but one is available in contrib.
There are a few bug reports regarding the lack of UI.
Comment #4
aspilicious CreditAttribution: aspilicious commentedWhat about this than:
I'm not 100% happy with this it's missing a flood reference. Maybe we need a user.flood.yml to save this settings?
So second proposal: user.flood.yml
Comment #5
kim.pepperThanks for the review aspilicious. I agree with your 2nd approach and have attached a patch that moves these to user.flood.yml and converted the rest of the settings.
Kim
Comment #7
kim.pepperForgot to save config
Comment #8
kim.pepperComment #10
kim.pepperAdded hook_update_N() for converting variables to config.
Comment #11
larowlanLooks good, just some minor whitespace issues.
whitespace
whitespace
whitespace
whitespace
whitespace
whitespace
Comment #12
kim.pepperFixed whitespace issues
Comment #13
kim.pepperComment #14
aspilicious CreditAttribution: aspilicious commentedidentifier_uid_only sounds a bit verbose what is wrong with uid_only?
Comment #15
kim.pepperI was struggling with the right amount of verbosity in order to convey enough detail. I agree that identifier_uid_only could be changed to uid_only.
I wonder if we should change the settings file from user.flood.yml to user.login-flood.yml to give it more meaning?
Kim
Comment #16
kim.pepperRenamed identifier_uid_only to uid_only
Comment #17
larowlanshould be uid_only
Comment #18
kim.pepperFixed missing rename of uid_only in update_hook
Comment #20
kim.pepper#18: 1777490-18-convert-user-failed-login-settings.patch queued for re-testing.
Comment #21
kim.pepperTagging as configuration system
Comment #22
Anonymous (not verified) CreditAttribution: Anonymous commentedlooks good. only nitpick is code like this:
should probably be:
Comment #23
kim.pepperI think the inline comments are important there, so that's why they are in expanded format. Is there a better way to put those comments around the config->set() calls?
I've re-rolled against 8.x.
Comment #24
Anonymous (not verified) CreditAttribution: Anonymous commentedphp allows code like this:
but, meh, it's mainly a style thing, so i don't think it should hold up the patch.
on the comments, "// Set the global login limit." is unnecessary and can go. the other comment seems useful because it has some 'why' in it.
Comment #25
kim.pepperThanks for the feedback beejeebus. I've updated the patch to match your style recommendations, and removed the unnecessary comments.
Comment #27
kim.pepper#25: 1777490-25-convert-user-failed-login-settings.patch queued for re-testing.
Comment #29
kim.pepperRe-rolled against latest 8.x
Comment #30
Anonymous (not verified) CreditAttribution: Anonymous commentednice work, i think this is RTBC now.
Comment #31
Dries CreditAttribution: Dries commentedGreat! I committed it to 8.x. Thanks for the patch ping-pong; i.e. the attention to detail and persistence to get it right.
Comment #32.0
(not verified) CreditAttribution: commentedAdded variables