mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
[SS-2016-005] FIX Apply brute force protection to default admin
This commit is contained in:
parent
1f820b0b1c
commit
f32c893546
@ -349,7 +349,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
|
|||||||
* Returns true if this user is locked out
|
* Returns true if this user is locked out
|
||||||
*/
|
*/
|
||||||
public function isLockedOut() {
|
public function isLockedOut() {
|
||||||
return $this->LockedOutUntil && time() < strtotime($this->LockedOutUntil);
|
return $this->LockedOutUntil && SS_Datetime::now()->Format('U') < strtotime($this->LockedOutUntil);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -1565,7 +1565,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
|
|||||||
|
|
||||||
if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
|
if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
|
||||||
$lockoutMins = self::config()->lock_out_delay_mins;
|
$lockoutMins = self::config()->lock_out_delay_mins;
|
||||||
$this->LockedOutUntil = date('Y-m-d H:i:s', time() + $lockoutMins*60);
|
$this->LockedOutUntil = date('Y-m-d H:i:s', SS_Datetime::now()->Format('U') + $lockoutMins*60);
|
||||||
$this->write();
|
$this->write();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -49,8 +49,11 @@ class MemberAuthenticator extends Authenticator {
|
|||||||
if($asDefaultAdmin) {
|
if($asDefaultAdmin) {
|
||||||
// If logging is as default admin, ensure record is setup correctly
|
// If logging is as default admin, ensure record is setup correctly
|
||||||
$member = Member::default_admin();
|
$member = Member::default_admin();
|
||||||
$success = Security::check_default_admin($email, $data['Password']);
|
$success = !$member->isLockedOut() && Security::check_default_admin($email, $data['Password']);
|
||||||
if($success) return $member;
|
//protect against failed login
|
||||||
|
if($success) {
|
||||||
|
return $member;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Attempt to identify user by email
|
// Attempt to identify user by email
|
||||||
|
@ -164,4 +164,22 @@ class MemberAuthenticatorTest extends SapphireTest {
|
|||||||
$this->assertEquals('The provided details don't seem to be correct. Please try again.', $form->Message());
|
$this->assertEquals('The provided details don't seem to be correct. Please try again.', $form->Message());
|
||||||
$this->assertEquals('bad', $form->MessageType());
|
$this->assertEquals('bad', $form->MessageType());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testDefaultAdminLockOut()
|
||||||
|
{
|
||||||
|
Config::inst()->update('Member', 'lock_out_after_incorrect_logins', 1);
|
||||||
|
Config::inst()->update('Member', 'lock_out_delay_mins', 10);
|
||||||
|
SS_Datetime::set_mock_now('2016-04-18 00:00:00');
|
||||||
|
$controller = new Security();
|
||||||
|
$form = new Form($controller, 'Form', new FieldList(), new FieldList());
|
||||||
|
|
||||||
|
// Test correct login
|
||||||
|
MemberAuthenticator::authenticate(array(
|
||||||
|
'Email' => 'admin',
|
||||||
|
'Password' => 'wrongpassword'
|
||||||
|
), $form);
|
||||||
|
|
||||||
|
$this->assertTrue(Member::default_admin()->isLockedOut());
|
||||||
|
$this->assertEquals(Member::default_admin()->LockedOutUntil, '2016-04-18 00:10:00');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user