This issue continues from http://drupal.org/node/184085
The only way we could consider with the current source is to perform the count remaining for an IP address.. is this right for you?
This would work (and work well) for me. It is also how vBulletin works, so it's probably the behavior that people expect.
what is the best way to notice the user about that.. a normal message (drupal_set_message) in the drupal page? show an error string (with form_set_error)?
Is a message like "You have 3 login attempts remaining" a status, warning or error message? vBulletin doesn't have the degrees of message escalation that Drupal has, so we're on our own figuring this out. I strongly lean towards the message being a warning and use drupal_set_message($message, 'warning');.
In any case, I'd probably use form_set_error so that it contains an array with the necessary variables. The form_set_message function includes drupal_set_message so we can still have nice message effects for warnings.
Comments
Comment #1
ilo commentedOk, finally updated to the repository.
Christefano, I've done and commited some modifications I hope will comply with your feature request. Anyway you will have to wait for the module publishing update (daily).
I've added a new textarea for the "per failed login" message, and a checkbox to enable the showing of that message.
This is a list of the available placeholders in ALL messages:
%date : The (formated) date and time of the operation
%ip : The IP Address performing the operation
%username : The username entered in the login form (sanitized)
%email : If the user exists, this will be it's name
%uid : ..and if exists, this will be it's uid
%site : The configured site's name
%uri : The base url of the drupal site
%edit_uri : Direct link to the user (name entered) edit operations
%hard_block_attempts : Configured login attempts before hard blocking the IP address
%soft_block_attempts : Configured login attempts before soft blocking the IP address
%user_block_attempts : Configured login attempts before blocking the user
%user_ip_current_count : The total attempts for the name entered by this IP address
%ip_current_count : The total login attempts by this IP address
%user_current_count : The total login attempts for this name (no matter the IP address)
%tracking_time : The tracking time, it's maximun soft blocking time.
In the module I've also set the message for you as in the vbulletin:
"You have used %ip_current_count out of %hard_block_attempts login attempts. After all %hard_block_attempts have been used, you will be unable to login for %tracking_time hour(s)."
But the placeholders allow a message like this:
"You have used %ip_current_count out of %hard_block_attempts login attempts. After all %hard_block_attempts have been used, you will be unable to login for %tracking_time hour(s).
The login name %username has been used %user_current_count of the %user_block_attempts times available before being blocked.
You IP address (%ip) attempted to login a total of %ip_current_count times. We would like to remember your that if you fail to login %hard_block_attempts times your host will be completly blocked in this site."
I'm leaving the issue open for any further comment after your testings..
Thanks a lot for your help!
Comment #2
ilo commentedI found a problem due to the module's workflow.. the message with the number of available attempts is also shown if the login succeeds. I've to check what to do with that, because the login_security does not check the login by itself, it just counts the login attempts, to don't disrupt other module's features included in the login (like captchas, tokens and so).
I've to take a look to the hook implemented in the login operation.. maybe I can find a quick solution for this. For now, it's just an annoying message once logged in.
Comment #3
ilo commentedOk, the message is now fixed, and not being displayed upon successfull login. All the code is working right now. Everything is updated in the repository.
I have one pending task in my todo:
What to do when the module is disabled or unistalled from the site.. Do we remove the table and the variables? when (unistall only)?
Comment #4
ilo commentedPlease, if you find me, delete me!
Comment #5
ilo commentedFixed and released as stable. Thank you!
Comment #6
ilo commentedfinished!