6 Mar
2023
6 Mar
'23
12:46 a.m.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25947 --- Comment #17 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #16)
We really shouldn't be doing this. It's best practice not to tell an unauthenticated user that an account has been locked due to failed login attempts. It leaks information about system settings and user accounts.
If we're going to do something insecure, we should wrap it in a system preference, default it to disabled, and have explanatory text on the system preference page saying it's an insecure setting. -- You are receiving this mail because: You are watching all bug changes.