diff --git a/C4/Auth.pm b/C4/Auth.pm
index 8a4166d251..74c2792477 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -1209,6 +1209,8 @@ sub checkauth {
push @inputs, { name => $name, value => $value };
}
+ my $patron = Koha::Patrons->find({ userid => $q_userid }); # Not necessary logged in!
+
my $LibraryNameTitle = C4::Context->preference("LibraryName");
$LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi;
$LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg;
@@ -1258,6 +1260,7 @@ sub checkauth {
PatronSelfRegistration => C4::Context->preference("PatronSelfRegistration"),
PatronSelfRegistrationDefaultCategory => C4::Context->preference("PatronSelfRegistrationDefaultCategory"),
opac_css_override => $ENV{'OPAC_CSS_OVERRIDE'},
+ too_many_login_attempts => ( $patron and $patron->account_locked ),
);
$template->param( SCO_login => 1 ) if ( $query->param('sco_user_login') );
@@ -1756,28 +1759,39 @@ sub get_session {
sub checkpw {
my ( $dbh, $userid, $password, $query, $type, $no_set_userenv ) = @_;
$type = 'opac' unless $type;
- if ($ldap) {
+
+ my @return;
+ my $patron = Koha::Patrons->find({ userid => $userid });
+
+ if ( $patron and $patron->account_locked ) {
+ @return = (0);
+ } elsif ($ldap) {
$debug and print STDERR "## checkpw - checking LDAP\n";
my ( $retval, $retcard, $retuserid ) = checkpw_ldap(@_); # EXTERNAL AUTH
- return 0 if $retval == -1; # Incorrect password for LDAP login attempt
- ($retval) and return ( $retval, $retcard, $retuserid );
- }
+ if ( $retval ) {
+ @return = ( $retval, $retcard, $retuserid );
+ } else {
+ @return = (0);
+ }
- if ( $cas && $query && $query->param('ticket') ) {
+ } elsif ( $cas && $query && $query->param('ticket') ) {
$debug and print STDERR "## checkpw - checking CAS\n";
# In case of a CAS authentication, we use the ticket instead of the password
my $ticket = $query->param('ticket');
$query->delete('ticket'); # remove ticket to come back to original URL
my ( $retval, $retcard, $retuserid ) = checkpw_cas( $dbh, $ticket, $query, $type ); # EXTERNAL AUTH
- ($retval) and return ( $retval, $retcard, $retuserid );
- return 0;
+ if ( $retval ) {
+ @return = ( $retval, $retcard, $retuserid );
+ } else {
+ @return = (0);
+ }
}
# If we are in a shibboleth session (shibboleth is enabled, and a shibboleth match attribute is present)
# Check for password to asertain whether we want to be testing against shibboleth or another method this
# time around.
- if ( $shib && $shib_login && !$password ) {
+ elsif ( $shib && $shib_login && !$password ) {
$debug and print STDERR "## checkpw - checking Shibboleth\n";
@@ -1788,13 +1802,23 @@ sub checkpw {
# Then, we check if it matches a valid koha user
if ($shib_login) {
my ( $retval, $retcard, $retuserid ) = C4::Auth_with_shibboleth::checkpw_shib($shib_login); # EXTERNAL AUTH
- ($retval) and return ( $retval, $retcard, $retuserid );
- return 0;
+ if ( $retval ) {
+ @return = ( $retval, $retcard, $retuserid );
+ } else {
+ @return = (0);
+ }
}
}
# INTERNAL AUTH
- return checkpw_internal( $dbh, $userid, $password, $no_set_userenv);
+ @return = checkpw_internal( $dbh, $userid, $password, $no_set_userenv) unless @return;
+
+ if ( $return[0] == 0 ) {
+ $patron->update({ login_attempts => $patron->login_attempts + 1 }) if $patron;
+ } elsif ( $return[1] == 1 ) {
+ $patron->update({ login_attempts => 0 })->store if $patron;
+ }
+ return @return;
}
sub checkpw_internal {
diff --git a/Koha/Patron.pm b/Koha/Patron.pm
index b97bceb258..860a4b6cf2 100644
--- a/Koha/Patron.pm
+++ b/Koha/Patron.pm
@@ -630,6 +630,24 @@ sub get_enrollable_clubs {
return wantarray ? $e->as_list : $e;
}
+=head3 account_locked
+
+my $is_locked = $patron->account_locked
+
+Return true if the patron has reach the maximum number of login attempts (see pref FailedLoginAttempts).
+Otherwise return false.
+If the pref is not set (empty string, null or 0), the feature is considered as disabled.
+
+=cut
+
+sub account_locked {
+ my ($self) = @_;
+ my $FailedLoginAttempts = C4::Context->preference('FailedLoginAttempts');
+ return ( $FailedLoginAttempts
+ and $self->login_attempts
+ and $self->login_attempts >= $FailedLoginAttempts )? 1 : 0;
+}
+
=head3 type
=cut
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
index c6a050c02d..7d6716598d 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
@@ -1,3 +1,4 @@
+[% USE Koha %]
[% USE Branches %]
[% SET footerjs = 1 %]
[% INCLUDE 'doc-head-open.inc' %]
@@ -5,7 +6,8 @@
[% IF ( nopermission ) %]Access denied[% END %]
[% IF ( timed_out ) %]Session timed out[% END %]
[% IF ( different_ip ) %]IP address change[% END %]
- [% IF ( invalid_username_or_password ) %]Invalid username or password[% END %]
+ [% IF too_many_login_attempts %]This account has been locked.
+ [% ELSIF invalid_username_or_password %]Invalid username or password[% END %]
[% IF ( loginprompt ) %]Log in to Koha[% END %]
[% INCLUDE 'doc-head-close.inc' %]
@@ -37,7 +39,9 @@
Error: Autolocation is switched on and you are logging in with an IP address that doesn't match your library.
[% END %]
-[% IF ( invalid_username_or_password ) %]
+[% IF too_many_login_attempts %]
+Error: This account has been locked!
+[% ELSIF invalid_username_or_password %]
Error: Invalid username or password
[% END %]
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
index 6d941bf8f2..31cfbc63c5 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
@@ -53,7 +53,17 @@
[% END %]
- [% IF ( invalid_username_or_password ) %]
+
+ [% IF too_many_login_attempts %]
+
+ This account has been locked!
+ [% IF Koha.Preference('OpacResetPassword') %]
+
You must reset your password.
+ [% ELSE %]
+ Please contact a library staff member.
+ [% END %]
+
You entered an incorrect username or password. Please try again! And remember, passwords are case sensitive.