diff --git a/seahub/auth/views.py b/seahub/auth/views.py index 16f29ffc87..ae7b1a1a35 100644 --- a/seahub/auth/views.py +++ b/seahub/auth/views.py @@ -24,6 +24,7 @@ from seahub.auth.forms import PasswordResetForm, SetPasswordForm, PasswordChange from seahub.auth.tokens import default_token_generator from seahub.base.accounts import User from seahub.options.models import UserOptions +from seahub.profile.models import Profile from seahub.utils import is_ldap_user from seahub.utils.http import is_safe_url from seahub.utils.ip import get_remote_ip @@ -111,6 +112,16 @@ def _clear_login_failed_attempts(request): cache.delete(LOGIN_ATTEMPT_PREFIX + username) cache.delete(LOGIN_ATTEMPT_PREFIX + ip) +def _handle_login_form_valid(request, user, redirect_to, remember_me): + if UserOptions.objects.passwd_change_required( + user.username): + redirect_to = reverse('auth_password_change') + request.session['force_passwd_change'] = True + + # password is valid, log user in + request.session['remember_me'] = remember_me + return log_user_in(request, user, redirect_to) + @csrf_protect @never_cache def login(request, template_name='registration/login.html', @@ -131,49 +142,66 @@ def login(request, template_name='registration/login.html', remember_me = True if request.REQUEST.get('remember_me', '') == 'on' else False - if failed_attempt >= settings.LOGIN_ATTEMPT_LIMIT: - # have captcha - form = CaptchaAuthenticationForm(data=request.POST) - if form.is_valid(): - if UserOptions.objects.passwd_change_required( - form.get_user().username): - redirect_to = reverse('auth_password_change') - request.session['force_passwd_change'] = True + if failed_attempt >= config.LOGIN_ATTEMPT_LIMIT: + if bool(config.FREEZE_USER_ON_LOGIN_FAILED) is True: + # log user in if password is valid otherwise freeze account + form = authentication_form(data=request.POST) + if form.is_valid(): + return _handle_login_form_valid(request, form.get_user(), + redirect_to, remember_me) + else: + # freeze user account anyway + login = request.REQUEST.get('login', '') + email = Profile.objects.get_username_by_login_id(login) + if email is None: + email = login - # captcha & passwod is valid, log user in - request.session['remember_me'] = remember_me - return log_user_in(request, form.get_user(), redirect_to) + try: + user = User.objects.get(email) + user.is_active = False + user.save() + except User.DoesNotExist: + pass else: - # show page with captcha and increase failed login attempts - _incr_login_faied_attempts(username=username, ip=ip) + # log user in if password is valid otherwise show captcha + form = CaptchaAuthenticationForm(data=request.POST) + if form.is_valid(): + return _handle_login_form_valid(request, form.get_user(), + redirect_to, remember_me) + else: + # show page with captcha and increase failed login attempts + _incr_login_faied_attempts(username=username, ip=ip) else: + # login failed attempts < limit form = authentication_form(data=request.POST) if form.is_valid(): - if UserOptions.objects.passwd_change_required( - form.get_user().username): - redirect_to = reverse('auth_password_change') - request.session['force_passwd_change'] = True - - # password is valid, log user in - request.session['remember_me'] = remember_me - return log_user_in(request, form.get_user(), redirect_to) + return _handle_login_form_valid(request, form.get_user(), + redirect_to, remember_me) else: + # increase failed attempts login = urlquote(request.REQUEST.get('login', '').strip()) failed_attempt = _incr_login_faied_attempts(username=login, ip=ip) - if failed_attempt >= settings.LOGIN_ATTEMPT_LIMIT: + if failed_attempt >= config.LOGIN_ATTEMPT_LIMIT: logger.warn('Login attempt limit reached, email/username: %s, ip: %s, attemps: %d' % (login, ip, failed_attempt)) - form = CaptchaAuthenticationForm() + + if bool(config.FREEZE_USER_ON_LOGIN_FAILED) is True: + form = authentication_form(data=request.POST) + else: + form = CaptchaAuthenticationForm() else: form = authentication_form(data=request.POST) else: ### GET - if failed_attempt >= settings.LOGIN_ATTEMPT_LIMIT: + if failed_attempt >= config.LOGIN_ATTEMPT_LIMIT: logger.warn('Login attempt limit reached, ip: %s, attempts: %d' % (ip, failed_attempt)) - form = CaptchaAuthenticationForm(request) + if bool(config.FREEZE_USER_ON_LOGIN_FAILED) is True: + form = authentication_form(data=request.POST) + else: + form = CaptchaAuthenticationForm() else: form = authentication_form(request) diff --git a/seahub/settings.py b/seahub/settings.py index 2d82ecef10..a92b287753 100644 --- a/seahub/settings.py +++ b/seahub/settings.py @@ -442,6 +442,7 @@ LOGGING = { #Login Attempt LOGIN_ATTEMPT_LIMIT = 3 LOGIN_ATTEMPT_TIMEOUT = 15 * 60 # in seconds (default: 15 minutes) +FREEZE_USER_ON_LOGIN_FAILED = False # deactivate user account when login attempts exceed limit # Age of cookie, in seconds (default: 1 day). SESSION_COOKIE_AGE = 24 * 60 * 60 @@ -629,6 +630,9 @@ CONSTANCE_CONFIG = { 'ACTIVATE_AFTER_REGISTRATION': (ACTIVATE_AFTER_REGISTRATION,''), 'REGISTRATION_SEND_MAIL': (REGISTRATION_SEND_MAIL ,''), 'LOGIN_REMEMBER_DAYS': (LOGIN_REMEMBER_DAYS,''), + 'LOGIN_ATTEMPT_LIMIT': (LOGIN_ATTEMPT_LIMIT, ''), + 'FREEZE_USER_ON_LOGIN_FAILED': (FREEZE_USER_ON_LOGIN_FAILED, ''), + 'ENABLE_USER_CREATE_ORG_REPO': (ENABLE_USER_CREATE_ORG_REPO, ''), 'ENABLE_ENCRYPTED_LIBRARY': (ENABLE_ENCRYPTED_LIBRARY,''), diff --git a/seahub/templates/sysadmin/settings.html b/seahub/templates/sysadmin/settings.html index 6825b53686..1dff351939 100644 --- a/seahub/templates/sysadmin/settings.html +++ b/seahub/templates/sysadmin/settings.html @@ -40,6 +40,15 @@ {% with type="input" setting_display_name="keep sign in" help_tip="Number of days that keep user sign in." setting_name="LOGIN_REMEMBER_DAYS" setting_val=config_dict.LOGIN_REMEMBER_DAYS %} {% include "snippets/web_settings_form.html" %} {% endwith %} + + {% with type="input" setting_display_name="LOGIN_ATTEMPT_LIMIT" help_tip="The maximum number of failed login attempts before showing CAPTCHA." setting_name="LOGIN_ATTEMPT_LIMIT" setting_val=config_dict.LOGIN_ATTEMPT_LIMIT %} + {% include "snippets/web_settings_form.html" %} + {% endwith %} + + {% with type="checkbox" setting_display_name="FREEZE_USER_ON_LOGIN_FAILED" help_tip="Freeze user account when failed login attempts exceed limit." setting_name="FREEZE_USER_ON_LOGIN_FAILED" setting_val=config_dict.FREEZE_USER_ON_LOGIN_FAILED %} + {% include "snippets/web_settings_form.html" %} + {% endwith %} +

Password

diff --git a/seahub/views/sysadmin.py b/seahub/views/sysadmin.py index ef1cbc8d30..9c09c4a8ef 100644 --- a/seahub/views/sysadmin.py +++ b/seahub/views/sysadmin.py @@ -2162,7 +2162,8 @@ def sys_settings(request): 'ENABLE_REPO_HISTORY_SETTING', 'USER_STRONG_PASSWORD_REQUIRED', 'ENABLE_ENCRYPTED_LIBRARY', 'USER_PASSWORD_MIN_LENGTH', 'USER_PASSWORD_STRENGTH_LEVEL', 'SHARE_LINK_PASSWORD_MIN_LENGTH', - 'ENABLE_USER_CREATE_ORG_REPO', 'FORCE_PASSWORD_CHANGE' + 'ENABLE_USER_CREATE_ORG_REPO', 'FORCE_PASSWORD_CHANGE', + 'LOGIN_ATTEMPT_LIMIT', 'FREEZE_USER_ON_LOGIN_FAILED', ) STRING_WEB_SETTINGS = ('SERVICE_URL', 'FILE_SERVER_ROOT',)