mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
[SS-2016-005] FIX Apply brute force protection to default admin
This commit is contained in:
parent
1f820b0b1c
commit
f32c893546
@ -349,7 +349,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
|
||||
* Returns true if this user is locked out
|
||||
*/
|
||||
public function isLockedOut() {
|
||||
return $this->LockedOutUntil && time() < strtotime($this->LockedOutUntil);
|
||||
return $this->LockedOutUntil && SS_Datetime::now()->Format('U') < strtotime($this->LockedOutUntil);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -1565,7 +1565,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
|
||||
|
||||
if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
|
||||
$lockoutMins = self::config()->lock_out_delay_mins;
|
||||
$this->LockedOutUntil = date('Y-m-d H:i:s', time() + $lockoutMins*60);
|
||||
$this->LockedOutUntil = date('Y-m-d H:i:s', SS_Datetime::now()->Format('U') + $lockoutMins*60);
|
||||
$this->write();
|
||||
}
|
||||
}
|
||||
|
@ -49,8 +49,11 @@ class MemberAuthenticator extends Authenticator {
|
||||
if($asDefaultAdmin) {
|
||||
// If logging is as default admin, ensure record is setup correctly
|
||||
$member = Member::default_admin();
|
||||
$success = Security::check_default_admin($email, $data['Password']);
|
||||
if($success) return $member;
|
||||
$success = !$member->isLockedOut() && Security::check_default_admin($email, $data['Password']);
|
||||
//protect against failed login
|
||||
if($success) {
|
||||
return $member;
|
||||
}
|
||||
}
|
||||
|
||||
// Attempt to identify user by email
|
||||
|
@ -164,4 +164,22 @@ class MemberAuthenticatorTest extends SapphireTest {
|
||||
$this->assertEquals('The provided details don't seem to be correct. Please try again.', $form->Message());
|
||||
$this->assertEquals('bad', $form->MessageType());
|
||||
}
|
||||
|
||||
public function testDefaultAdminLockOut()
|
||||
{
|
||||
Config::inst()->update('Member', 'lock_out_after_incorrect_logins', 1);
|
||||
Config::inst()->update('Member', 'lock_out_delay_mins', 10);
|
||||
SS_Datetime::set_mock_now('2016-04-18 00:00:00');
|
||||
$controller = new Security();
|
||||
$form = new Form($controller, 'Form', new FieldList(), new FieldList());
|
||||
|
||||
// Test correct login
|
||||
MemberAuthenticator::authenticate(array(
|
||||
'Email' => 'admin',
|
||||
'Password' => 'wrongpassword'
|
||||
), $form);
|
||||
|
||||
$this->assertTrue(Member::default_admin()->isLockedOut());
|
||||
$this->assertEquals(Member::default_admin()->LockedOutUntil, '2016-04-18 00:10:00');
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user