Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10212

Captcha not displayed when username not exists

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.9-RC1
    • Fix Version/s: 3.0.10-RC1
    • Component/s: Authentication
    • Labels:
      None

      Description

      With the new IP limit feature, the captcha is not displayed when someone is trying to login with a account that doesnt exists, while he is over the maximum attempts configured. Once he tries to login with a account that exists, he get the Captcha.

      The reason for this is the code in includes/auth_db.php:

      	if (!$row)
      	{
      		return array(
      			'status'	=> LOGIN_ERROR_USERNAME,
      			'error_msg'	=> 'LOGIN_ERROR_USERNAME',
      			'user_row'	=> array('user_id' => ANONYMOUS),
      		);
      	}
       
      	$show_captcha = ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) ||
      		($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max']);
       
      	// If there are too much login attempts, we need to check for an confirm image
      	// Every auth module is able to define what to do by itself...
      	if ($show_captcha)
      	{
      		// Visual Confirmation handling
      		if (!class_exists('phpbb_captcha_factory'))
      		{
      			global $phpbb_root_path, $phpEx;
      			include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx);
      		}
       
      		$captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']);
      		$captcha->init(CONFIRM_LOGIN);
      		$vc_response = $captcha->validate($row);
      		if ($vc_response)
      		{
      			return array(
      				'status'		=> LOGIN_ERROR_ATTEMPTS,
      				'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
      				'user_row'		=> $row,
      			);
      		}
      		else
      		{
      			$captcha->reset();
      		}
       
      	}
      
      

      Where the check for if a user exists is done before the check for the captcha. When moving the code for the check if the user exists afterwards, the captcha is displayed.

        Attachments

          Activity

            People

            • Assignee:
              naderman Nils Adermann
              Reporter:
              Paul Paul Sohier
            • Votes:
              1 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: