[Koha-bugs] [Bug 25947] Improve locked account message
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Mar 6 00:46:46 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25947
--- Comment #17 from David Cook <dcook at prosentient.com.au> ---
(In reply to David Cook from comment #16)
> We really shouldn't be doing this. It's best practice not to tell an
> unauthenticated user that an account has been locked due to failed login
> attempts. It leaks information about system settings and user accounts.
If we're going to do something insecure, we should wrap it in a system
preference, default it to disabled, and have explanatory text on the system
preference page saying it's an insecure setting.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list