0
Answered

max login attempts does not deactivate user

jean luc lacroix 1 year ago updated by Vlad R 10 months ago 2

I am testing FileRun (ver 20220202) and I ran into an issue with the max_login_attempts. When reaching the limit the user is not deactivated as expected and its counter (failed_login_attempts) does not increase further. Here follows output from the filerun MySql tables

MariaDB [filerun]> SELECT * FROM df_settings WHERE var="max_login_attempts";
+----+--------------------+------+
| id | var | val |
+----+--------------------+------+
| 27 | max_login_attempts | 3 |
+----+--------------------+------+
1 row in set (0.001 sec)

MariaDB [filerun]> SELECT username, failed_login_attempts, activated FROM df_users WHERE id=4;
+----------+-----------------------+-----------+
| username | failed_login_attempts | activated |
+----------+-----------------------+-----------+
| test | 3 | 1 |
+----------+-----------------------+-----------+
1 row in set (0.002 sec)

And the superuser control panel doesn't indicate anything about the deactivation status of the "test" user. Furthermore, according to the doc, the superuser can deactivate a user, but I don't see anything like a "Deactivate user account" button or link.

Image 973

Not helpful for your main question, but the option to deactivate users is present in my Superuser control panel at "Admin users" > user > "Basic Information" > second box > checkbox "This account is deactivated"

Answered

Better to use the control panel to make sure what settings are currently in use, as they get cached. Changing directly in the database might not take effect right away.

if you are testing against the superuser, the setting does not apply.