Marcel de Rooy
716301d6f5
We should not expose more information than needed when someone tries to login with invalid credentials. Saying that an account is locked reveals that the account exists (or perhaps an email address). Trivial fix. Keeping the var too_many_login_attempts for staff. Note: We do not remove this distinction for the staff client here (in the assumption that a library may well have additional security measures in place for staff client). But it could be done too (on another report). Test plan: Enable lockout feature. Enter invalid credentials until account locks out (on OPAC !!) Note that message does no longer change to 'Account is locked'. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> |
||
|---|---|---|
| .. | ||
| bootstrap | ||
| lib | ||
| xslt | ||