Merge pull request #64 from silverstripe-security/pulls/4.0/ss-2018-010

[SS-2018-010] Fix regression of SS-2017-002

src/Security/MemberAuthenticator/MemberAuthenticator.php

@@ -91,6 +91,11 @@ class MemberAuthenticator implements Authenticator
         // Validate against member if possible
         if ($member && !$asDefaultAdmin) {
             $this->checkPassword($member, $data['Password'], $result);
+        } elseif (!$asDefaultAdmin) {
+            // spoof a login attempt
+            $tempMember = Member::create();
+            $tempMember->{Member::config()->get('unique_identifier_field')} = $email;
+            $tempMember->validateCanLogin($result);
         }
 
         // Emit failure to member and form (if available)
@@ -164,7 +169,9 @@ class MemberAuthenticator implements Authenticator
      */
     protected function recordLoginAttempt($data, HTTPRequest $request, $member, $success)
     {
-        if (!Security::config()->get('login_recording')) {
+        if (!Security::config()->get('login_recording')
+            && !Member::config()->get('lock_out_after_incorrect_logins')
+        ) {
             return;
         }
 

tests/php/Security/MemberAuthenticatorTest.php

@@ -243,7 +243,6 @@ class MemberAuthenticatorTest extends SapphireTest
 
     public function testNonExistantMemberGetsLoginAttemptRecorded()
     {
-        Security::config()->set('login_recording', true);
         Member::config()
             ->set('lock_out_after_incorrect_logins', 1)
             ->set('lock_out_delay_mins', 10);
@@ -272,7 +271,6 @@ class MemberAuthenticatorTest extends SapphireTest
 
     public function testNonExistantMemberGetsLockedOut()
     {
-        Security::config()->set('login_recording', true);
         Member::config()
             ->set('lock_out_after_incorrect_logins', 1)
             ->set('lock_out_delay_mins', 10);