Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10212

Captcha not displayed when username not exists

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.9-RC1
    • Fix Version/s: 3.0.10-RC1
    • Component/s: Authentication
    • Labels:
      None

      Description

      With the new IP limit feature, the captcha is not displayed when someone is trying to login with a account that doesnt exists, while he is over the maximum attempts configured. Once he tries to login with a account that exists, he get the Captcha.

      The reason for this is the code in includes/auth_db.php:

      	if (!$row)
      	{
      		return array(
      			'status'	=> LOGIN_ERROR_USERNAME,
      			'error_msg'	=> 'LOGIN_ERROR_USERNAME',
      			'user_row'	=> array('user_id' => ANONYMOUS),
      		);
      	}
       
      	$show_captcha = ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) ||
      		($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max']);
       
      	// If there are too much login attempts, we need to check for an confirm image
      	// Every auth module is able to define what to do by itself...
      	if ($show_captcha)
      	{
      		// Visual Confirmation handling
      		if (!class_exists('phpbb_captcha_factory'))
      		{
      			global $phpbb_root_path, $phpEx;
      			include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx);
      		}
       
      		$captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']);
      		$captcha->init(CONFIRM_LOGIN);
      		$vc_response = $captcha->validate($row);
      		if ($vc_response)
      		{
      			return array(
      				'status'		=> LOGIN_ERROR_ATTEMPTS,
      				'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
      				'user_row'		=> $row,
      			);
      		}
      		else
      		{
      			$captcha->reset();
      		}
       
      	}
      
      

      Where the check for if a user exists is done before the check for the captcha. When moving the code for the check if the user exists afterwards, the captcha is displayed.

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            naderman Nils Adermann
            Reporter:
            Paul Paul Sohier
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development