Fixed an issue where even if the user is locked, he can reset the password and can login into pgAdmin. Fixes #6664

2025-02-25 18:55:31 -06:00 · 2021-08-09 14:24:26 +05:30
parent 5e3aa305fd
commit 78b041465e
3 changed files with 13 additions and 3 deletions
--- a/web/pgadmin/authenticate/init.py
+++ b/web/pgadmin/authenticate/init.py
@@ -53,7 +53,8 @@ def login():
    session['auth_source_manager'] = None

    username = form.data['email']
-    user = User.query.filter_by(username=username).first()
+    user = User.query.filter_by(username=username,
+                                auth_source=INTERNAL).first()

    if user:
        if user.login_attempts >= config.MAX_LOGIN_ATTEMPTS > 0:
@@ -108,7 +109,8 @@ def login():

        session['auth_source_manager'] = current_auth_obj

-        user.login_attempts = 0
+        if user:
+            user.login_attempts = 0
        db.session.commit()

        if 'auth_obj' in session:
--- a/web/pgadmin/browser/init.py
+++ b/web/pgadmin/browser/init.py
@@ -31,7 +31,8 @@ from flask_security.recoverable import reset_password_token_status, \
    generate_reset_password_token, update_password
 from flask_security.signals import reset_password_instructions_sent
 from flask_security.utils import config_value, do_flash, get_url, \
-    get_message, slash_url_suffix, login_user, send_mail, logout_user
+    get_message, slash_url_suffix, login_user, send_mail, logout_user, \
+    get_post_logout_redirect
 from flask_security.views import _security, view_commit, _ctx
 from werkzeug.datastructures import MultiDict

@@ -1329,6 +1330,12 @@ if hasattr(config, 'SECURITY_RECOVERABLE') and config.SECURITY_RECOVERABLE:
                auth_obj = AuthSourceManager(form, [INTERNAL])
                session['_auth_source_manager_obj'] = auth_obj.as_dict()

+                if user.login_attempts >= config.MAX_LOGIN_ATTEMPTS > 0:
+                    flash(gettext('You successfully reset your password but'
+                                  ' your account is locked. Please contact '
+                                  'the Administrator.'),
+                          'warning')
+                    return redirect(get_post_logout_redirect())
                do_flash(*get_message('PASSWORD_RESET'))
                login_user(user)
                auth_obj = AuthSourceManager(form, [INTERNAL])