Fixed an issue where even if the user is locked, he can reset the password and can login into pgAdmin. Fixes #6664

2021-08-09 14:24:26 +05:30 · 2021-08-09 14:24:26 +05:30 · 78b041465e
parent 5e3aa305fd
commit 78b041465e
3 changed files with 13 additions and 3 deletions
--- a/docs/en_US/release_notes_5_6.rst
+++ b/docs/en_US/release_notes_5_6.rst
@ -29,3 +29,4 @@ Bug fixes
 | `Issue #6619 <https://redmine.postgresql.org/issues/6619>`_ -  Fixed incorrect binary path issue when the user deletes the binary path from the preferences.
 | `Issue #6643 <https://redmine.postgresql.org/issues/6643>`_ -  Ensure that all the required options should be loaded when the Range data type is selected while creating a custom data type.
 | `Issue #6650 <https://redmine.postgresql.org/issues/6650>`_ -  Fixed dashboard server activity issue when active_since parameter is None.
+| `Issue #6664 <https://redmine.postgresql.org/issues/6664>`_ -  Fixed an issue where even if the user is locked, he can reset the password and can login into pgAdmin.
--- a/web/pgadmin/authenticate/init.py
+++ b/web/pgadmin/authenticate/init.py
@ -53,7 +53,8 @@ def login():
    session['auth_source_manager'] = None

    username = form.data['email']
-    user = User.query.filter_by(username=username).first()
+    user = User.query.filter_by(username=username,
+                                auth_source=INTERNAL).first()

    if user:
        if user.login_attempts >= config.MAX_LOGIN_ATTEMPTS > 0:
@ -108,7 +109,8 @@ def login():

        session['auth_source_manager'] = current_auth_obj

-        user.login_attempts = 0
+        if user:
+            user.login_attempts = 0
        db.session.commit()

        if 'auth_obj' in session:
--- a/web/pgadmin/browser/init.py
+++ b/web/pgadmin/browser/init.py
@ -31,7 +31,8 @@ from flask_security.recoverable import reset_password_token_status, \
    generate_reset_password_token, update_password
 from flask_security.signals import reset_password_instructions_sent
 from flask_security.utils import config_value, do_flash, get_url, \
-    get_message, slash_url_suffix, login_user, send_mail, logout_user
+    get_message, slash_url_suffix, login_user, send_mail, logout_user, \
+    get_post_logout_redirect
 from flask_security.views import _security, view_commit, _ctx
 from werkzeug.datastructures import MultiDict

@ -1329,6 +1330,12 @@ if hasattr(config, 'SECURITY_RECOVERABLE') and config.SECURITY_RECOVERABLE:
                auth_obj = AuthSourceManager(form, [INTERNAL])
                session['_auth_source_manager_obj'] = auth_obj.as_dict()

+                if user.login_attempts >= config.MAX_LOGIN_ATTEMPTS > 0:
+                    flash(gettext('You successfully reset your password but'
+                                  ' your account is locked. Please contact '
+                                  'the Administrator.'),
+                          'warning')
+                    return redirect(get_post_logout_redirect())
                do_flash(*get_message('PASSWORD_RESET'))
                login_user(user)
                auth_obj = AuthSourceManager(form, [INTERNAL])