Changeset 30848


Ignore:
Timestamp:
Jan 4, 2015, 3:18:16 PM (9 years ago)
Author:
Eric
Message:

Next version is 2.7.5 :
Fixed - Admins and Webmaster accounts were not correctly excluded on login failure protection

Location:
extensions/Password_Policy
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • extensions/Password_Policy/changelog.txt.php

    r30698 r30848  
    6666
    6767--- 2.7.4 : Fix white page for german users (bug lexiglot)
     68
     69--- 2.7.5 : Fixed - Admin and Webmaster accounts were not correctly excluded on login failure protection
     70             
    6871*/
    6972?>

  • extensions/Password_Policy/include/functions.inc.php

    r27179 r30848  
    147147  $conf_PP = unserialize($conf['PasswordPolicy']);
    148148
    149   if (
    150         (isset($conf_PP['NBLOGFAIL']) and $conf_PP['NBLOGFAIL'] <> 0)
     149  if ((isset($conf_PP['NBLOGFAIL']) and $conf_PP['NBLOGFAIL'] <> 0)
    151150    and (isset($conf_PP['LOGFAILBLOCK']) and $conf_PP['LOGFAILBLOCK'] == 'true')
    152     and !is_admin()
    153     and !is_webmaster()
    154151    )
    155152  {
    156     // If login failure then increments loginfailcount value in database
    157     $query = '
     153    $query ='
     154SELECT ui.status
     155FROM '.USER_INFOS_TABLE.' AS ui
     156  LEFT JOIN '.USERS_TABLE.' AS u
     157    ON u.id = ui.user_id
     158WHERE(u.username = "'.stripslashes($username).'")
     159;';
     160    $exclude = pwg_db_fetch_assoc(pwg_query($query));
     161
     162    // Exclude specific accounts
     163    if ($exclude['status'] <> "webmaster" and $exclude['status'] <> "admin" and $exclude['status'] <> "generic")
     164    {
     165      // If login failure then increments loginfailcount value in database
     166      $query = '
    158167UPDATE '.USERS_TABLE.'
    159168SET PP_loginfailcount = PP_loginfailcount+1
     
    161170LIMIT 1
    162171;';
    163     pwg_query($query);
    164 
    165     $query = '
     172      pwg_query($query);
     173
     174      $query = '
    166175SELECT PP_loginfailcount
    167176FROM '.USERS_TABLE.'
     
    169178;';
    170179
    171     $datas = pwg_db_fetch_assoc(pwg_query($query));
    172 
    173     // If number of failed logon exeeds $conf_PP['NBLOGFAIL'], set the account as locked
    174     if (isset($datas['PP_loginfailcount']) and $datas['PP_loginfailcount'] >= $conf_PP['NBLOGFAIL'])
    175     {
    176       $query = '
     180      $datas = pwg_db_fetch_assoc(pwg_query($query));
     181
     182      // If number of failed logon exceeds $conf_PP['NBLOGFAIL'], set the account as locked
     183      if (isset($datas['PP_loginfailcount']) and $datas['PP_loginfailcount'] >= $conf_PP['NBLOGFAIL'])
     184      {
     185        $query = '
    177186UPDATE '.USERS_TABLE.'
    178187SET PP_lock = "true"
     
    180189LIMIT 1
    181190;';
    182       pwg_query($query);
    183 
     191        pwg_query($query);
     192      }
    184193    }
    185194  }
Note: See TracChangeset for help on using the changeset viewer.