[MDL-21342] Account lockout after failed login attempts - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.0, 2.4.3
Fix Version/s: 2.5
Component/s: Administration, Authentication, Web Services
Labels:
- triaged
- ui_change

Database:

Any
Affected Branches:
MOODLE_20_STABLE, MOODLE_24_STABLE
Fixed Branches:
MOODLE_25_STABLE
Pull Master Branch:
w51_~~MDL-21342~~_m25_lockout
Pull Master Diff URL:
https://github.com/skodak/moodle/compare/master...w51_MDL-21342_m25_lockout
Testing Instructions:
Hide

1/ run phpunit tests
2/ set some low threshold and timeouts and try lockouts

verify user gets email with unlock instructions

verify account is unlocked automatically after selected time without failed logins

verify that more attempts in some longer window do not trigger lockout

verify admin may unlock accounts manually from the Admins / Users / Accounts / Browse list of users
Show
1/ run phpunit tests 2/ set some low threshold and timeouts and try lockouts verify user gets email with unlock instructions verify account is unlocked automatically after selected time without failed logins verify that more attempts in some longer window do not trigger lockout verify admin may unlock accounts manually from the Admins / Users / Accounts / Browse list of users

Description

Implement a lockout system for web services => when wrong password too many time, lock the user (except if IP restriction field is not empty)
Maybe do an administration too to unlock and visualize locked
nothing needed for token
Specs needed.
log needed when a lockout happens.

Balsamiq Wireframes

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

documentation_MDL-21342.pdf
202 kB
20/Nov/12 12:46 PM
testingInstructions.pdf
177 kB
20/Nov/12 12:46 PM
webservice lockout.bmml
3 kB
25/Jan/10 9:44 PM
webservice lockout.png
43 kB
25/Jan/10 9:44 PM
wslockoutadmin.png
52 kB
25/Jan/10 9:48 PM

Issue Links

caused a regression

MDL-37515 PHP Notice when submitting change password form

Closed

has a non-specific relationship to

MDL-37405 Consider backporting login lockout system to 2.4

Closed

has been marked as being related by

MDL-18339 Site policies: Allow site setting for maximum number of login attempts

Closed

Sub-Tasks

Implement a failed login lockout system for web service authentication.

Closed

Unassigned

Activity

People

Assignee:: Petr Skoda

Reporter:: Jérôme Mouneyrac

Peer reviewer:: Damyon Wiese

Integrator:: Sam Hemelryk

Tester:: Jason Fowler

Participants:: Andrew Lyons, Damyon Wiese, Dan Poltawski, David Kettle, Eduardo Kraus, Eloy Lafuente (stronk7), Helen Foster, Helge Wiethoff, Jason Fowler, Jérôme Mouneyrac, Moodle HQ, Petr Skoda, Sam Hemelryk, Simon Coggins, Steve Massicotte

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, Juan Leyva, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 10 Vote for this issue

Watchers:: 21 Start watching this issue

Dates

Created:: 15/Jan/10 1:20 AM

Updated:: 16/Apr/20 4:45 AM

Resolved:: 12/Jan/13 1:17 AM

Fix Release Date:: 14/May/13