From a27ac6444b8a988062f8c487ae35ea176f4db601 Mon Sep 17 00:00:00 2001 From: Mike Blume Date: Wed, 15 Sep 2010 03:39:24 +0000 Subject: [PATCH] check for lockout immediately, rather than mucking with the database. This has the side effect that a locked-out user attempting to log in does not reset their cooloff time. This is good, since the reverse may feel overly 'punitive' to the user. --- axes/decorators.py | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/axes/decorators.py b/axes/decorators.py index 5219d03..2541e88 100644 --- a/axes/decorators.py +++ b/axes/decorators.py @@ -99,6 +99,23 @@ def watch_login(func): if attempt: failures = attempt.failures_since_start + # no matter what, we want to lock them out + # if they're past the number of attempts allowed + if failures > FAILURE_LIMIT: + if LOCK_OUT_AT_FAILURE: + if COOLOFF_TIME: + response = HttpResponse("Account locked: too many login attempts. " + "Please try again later." + ) + else: + response = HttpResponse("Account locked: too many login attempts. " + "Contact an admin to unlock your account." + ) + # We log them out in case they actually managed to enter + # the correct password. + logout(request) + return response + if login_unsuccessful: # add a failed attempt for this user failures += 1 @@ -140,21 +157,6 @@ def watch_login(func): failures_since_start=failures ) - # no matter what, we want to lock them out - # if they're past the number of attempts allowed - if failures > FAILURE_LIMIT: - if LOCK_OUT_AT_FAILURE: - if COOLOFF_TIME: - response = HttpResponse("Account locked: too many login attempts. " - "Please try again later." - ) - else: - response = HttpResponse("Account locked: too many login attempts. " - "Contact an admin to unlock your account." - ) - # We log them out in case they actually managed to enter - # the correct password. - logout(request) return response return decorated_login