Developer forum

Forum » Development » NotificationSubscriber for locked out users

NotificationSubscriber for locked out users

E-mail notifications
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Reply
Posted on 27/08/2015 14:50:24

Hi there,

Is there a NotificationSubscriber that fires when a user gets locked after X number of invalid password attempts. I would like to notifiy the support department when that happens but I can't seem to find a relevant subscriber. If it doesn't exist, could it be added with the relevant args so I can see info about the user? I know there is OnExtranetLoginFailed with OnExtranetLoginFailedArgs.FailReason that has ExceededFailedLoginLimit as a member, but that fires whenever someone logs in with a locked account, not when the account gets locked.

Thanks,

Imar


Replies

 
Nicolai Høeg Pedersen
Posted on 27/08/2015 18:09:51
Reply

Hi Imar

There is no such notification subscriber. We will investigate if it can make it soon.

BR Nicolai

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 29/08/2015 23:51:18
Reply

Great, thank you.

Imar

 
Jonas Krarup Dam
Posted on 31/08/2015 09:06:56
Reply

Hi Imar,

I have added this to the backlog for 8.7.1

Regards, Jonas

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 31/08/2015 18:09:00
Reply

Great. Any chance this can also be backported to the 8.6.x? That way we don't have to do a minor upgarde + testing.

Thanks,

Imar

 
Jonas Krarup Dam
Posted on 02/09/2015 08:16:58
Reply
This post has been marked as an answer

Hi Imar,

If the implementation is as simple as I expect it to be, I don't see a problem with merging the change to 8.6.1.x - I'll let you know, once the item has been implemented.

Regards, Jonas

Votes for this answer: 1
 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 02/09/2015 20:56:07
Reply

Thanks!

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 24/09/2015 16:56:10
Reply

Hi Jonas,

I just discovered this option in 8.7. Thanks for having it added.

One question: it seems that the account lockout is only temporary. Would it make sense to block the user inside the subscriber using something like this:

var localArgs = args as Standard.User.OnExtranetLoginFailedArgs;
if (localArgs == null)
{
  return;
}
if (localArgs.Reason == Standard.User.OnExtranetLoginFailedArgs.FailReason.ExceededFailedLoginLimit)
{
  var user = Dynamicweb.Modules.UserManagement.User.GetUserByUserName(localArgs.Username);
  user.Active = false;
  user.Save();
}

Or is there a built-in way to block users for good until someone unblocks them?

Imar

 
Nicolai Høeg Pedersen
Posted on 25/09/2015 11:54:23
Reply

Hi Imar

Setting the user to inactive is fine.

BR Nicolai

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 25/09/2015 17:27:37
Reply

Thanks Nicolai!

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 27/09/2015 10:32:12
Reply

I found an issue with this implementation. The release notes for this item say: "Add a NotificationSubscriber that fires when a user gets locked after X number of invalid password attempts". This also matches my original request. However, it's implemented as "Fire a NotificationSubscriber when a locked out users tries to log in".

There's a big difference here. In the former case, the subscriber only fires once: when the user gets locked out. In the latter case, the subscriber fires many times: every time the locked out users tries to login. I need to send an email to the IT department when a user gets locked so they can handle it internally, but with the current implementation they would get many emails.

Can this be looked at?

Thanks,

Imar

 
Nicolai Høeg Pedersen
Posted on 28/09/2015 17:36:58
Reply

I'll have QA take a look and fix it if it is wrong.

 
Christian Rud Skovgaard
Posted on 29/09/2015 09:26:47
Reply

Hi Imar,

We will change the "Fires every time a locked out user tries to login" code to "Fires every time a user gets locked" to avoid spamming.

This change will appear in the next hotfix (8.6.1.22 / 8.7.0.3)

Kind regards

Christian

 
Imar Spaanjaars Dynamicweb Employee
Imar Spaanjaars
Posted on 29/09/2015 10:03:12
Reply

Thanks Christian!

Imar

 
Christian Rud Skovgaard
Posted on 30/09/2015 09:46:12
Reply
This post has been marked as an answer

Hi again Imar,

I talked to a developer and he told me that the following should work:

use:
============== 
if (localArgs.Reason == Standard.User.OnExtranetLoginFailedArgs.FailReason.LoginLocked)
==============
instead of
==============
instead of if (localArgs.Reason == Standard.User.OnExtranetLoginFailedArgs.FailReason.ExceededFailedLoginLimit)
==============

Could you confirm this?

 

Kind regards

Christian

 

Votes for this answer: 1

 

You must be logged in to post in the forum