Hi,

I have login security set to block the user after 3 attempts, but it actually blocks it after 4. A user can give three bad passwords and then a good password and get it. This code seems to be at fault (line 190):

if ($variables['%user_current_count'] > $variables['%user_block_attempts']) {

I suspect the ">" should be a ">=". The code at line 149 seems to have the same issue for notifications:

if ($variables['%tracking_current_count'] > $variables['%activity_threshold'] ) {

fyi.

thanks!

Joseph Cheek
ed.gov Drupal architect

CommentFileSizeAuthor
#2 login_security-856618-2.patch2.2 KBilo
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

josephcheek’s picture

"get in", not "get it", above.

ilo’s picture

Status: Active » Needs review
FileSize
2.2 KB

Deekayen, just rtbc or commit to this little change in the >= if you wish.. actually, the test case was wrong, it was limiting the login attempt to 2 and checking three login attempts before blocking.

I've tested manually and it is also working.

ilo’s picture

Status: Needs review » Reviewed & tested by the community

Marking as rtbc, tested and verified.

ilo’s picture

Marking as rtbc, tested and verified.

deekayen’s picture

Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • deekayen committed 2bf0b99 on 6.x-1.x, 8.x-1.x
    #856618 by ilo, cheekdotcom: blocks user login after X+1 attempts, not X...