Tickets :: [#14467] authLockUser method missing

6.0.0-alpha14

7/2/25

Summary	authLockUser method missing
Queue	IMP
Queue Version	6.2.16
Type	Bug
State	Resolved
Priority	1. Low
Owners	mrubinsk (at) horde (dot) org
Requester	aaronp (at) critd (dot) com
Created	09/12/2016 (3215 days ago)
Due
Updated	09/15/2016 (3212 days ago)
Assigned	09/14/2016 (3213 days ago)
Resolved	09/15/2016 (3212 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

09/15/2016 08:38:53 PM	Michael Rubinsky	Comment #4 Taken from Horde Developers State ⇒ Resolved	Reply to this comment
Fixed in Horde_Core 2.27.0.

09/15/2016 08:37:12 PM	Git Commit	Comment #3	Reply to this comment
Changes have been made in Git (master): commit 1869eb82a4c47a79dabe535d9dc81989cd5e8244 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Thu Sep 15 16:33:37 2016 -0400 ~~Bug: 14467~~ Fix locking user after bad logins. The 'lock' capability is provided by Horde, not an application auth method. framework/Core/lib/Horde/Core/Auth/Application.php \| 6 ------ 1 file changed, 6 deletions(-) http://github.com/horde/horde/commit/1869eb82a4c47a79dabe535d9dc81989cd5e8244

09/14/2016 02:10:37 PM	Michael Rubinsky	Assigned to Michael Rubinsky State ⇒ Assigned Assigned to Horde Developers

09/14/2016 02:10:21 PM	Michael Rubinsky	Comment #2	Reply to this comment
Yes, something doesn't look right there. Horde_Core_Auth_Application::lockUser is an override of Horde_Auth_Base::lockUser. It looks like it was added to give applications the ability to provide their own method of locking users - though none of our applications seem to implement this. The 'lock' capability is set if the 'lock_api' parameter is passed when contructing an Auth object, and this is done when the 'login_block' parameter is set in the config. Now, the hasCapability() method is called in Horde_Core_Auth_Application::lockUser - the Horde_Core_Auth_Application::hasCapability method explicitly states that the 'lock' ability is determined by "Horde", and NOT by applications - yet, when that check is true, we call the application method. That is broken. If we truly want to allow the applications to provide their own lock mechanisms we need to first check the appCapability, and if that fails, then check Horde.

09/12/2016 07:37:31 PM	aaronp (at) critd (dot) com	Comment #1 Priority ⇒ 1. Low Type ⇒ Bug Summary ⇒ authLockUser method missing Queue ⇒ IMP Milestone ⇒ Patch ⇒ No State ⇒ Unconfirmed	Reply to this comment
We're using Horde 5.2.12 and IMP 6.2.16 with PHP 5.6.24. We're trying to get Horde to lock out users after a configurable number of failed login attempts. We're using IMP/IMAP for authentication. This is related to a problem we originally reported to the IMP mailing list: http://marc.info/?l=imp&m=147369545621876&w=2 We're not sure this was ever working for us. Here are the relevant configuration lines we're using: $conf['auth']['params']['app'] = 'imp'; $conf['auth']['driver'] = 'application'; $conf['auth']['params']['count_bad_logins'] = true; $conf['auth']['params']['login_block'] = true; $conf['auth']['params']['login_block_count'] = 5; $conf['auth']['params']['login_block_time'] = 5; I can confirm that the failed authentication attempts are correctly being inserted into the horde_histories table. I've done some debugging, and I think I've narrowed it to Horde/Core/Auth/Application.php line 231. The lockUser method tries: $GLOBALS['registry']->callAppMethod($this->_app, 'authLockUser', array('args' => array($userId, $time))); But the method authLockUser doesn't seem to exist. Similarly, the authUnlockUser method does not seem to exist. I'm not sure where authLockUser should be or if this is a problem with Horde itself or IMP. Thanks.