diff --git a/app/models/user.rb b/app/models/user.rb index 65bc658652..d216f8767d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -225,7 +225,9 @@ class User < Principal end unless prevent_brute_force_attack(result, login).nil? user.update_attribute(:last_login_on, Time.now) if user && !user.new_record? - return user + # don't let brute force prevention allow a user access that was + # denied earlier + return user if result end nil end @@ -353,6 +355,7 @@ class User < Principal # def failed_too_many_recent_login_attempts? block_threshold = Setting.brute_force_block_after_failed_logins.to_i + return false if block_threshold == 0 # disabled return (last_failed_login_within_block_time? and self.failed_login_count >= block_threshold) end diff --git a/features/users/brute_force_prevention.feature b/features/users/brute_force_prevention.feature index 929e4bd588..7c342bcb63 100644 --- a/features/users/brute_force_prevention.feature +++ b/features/users/brute_force_prevention.feature @@ -33,3 +33,9 @@ Feature: Prevent brute force attacks And I try to log in with user "bob" Then I should see "Bob Bobbit" + Scenario: Brute force prevention is disabled + Given users are blocked for 5 minutes after 0 failed login attempts + When I try to log in with user "bob" and a wrong password + Then I should not see "Bob Bobbit" + When I try to log in with user "bob" + Then I should see "Bob Bobbit"