Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-02-13 11:44:20 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Feature: Added brute force login protection settings to Admin Panel/People/Locked Users.

Browse source 
Added filtering of Admin Panel/People/People: All Users/Locked Users Only/Active/Not Active.
Added visual indicators: red lock icon for locked users, green check for active users, and red X for inactive users.
Added "Unlock All" button to quickly unlock all brute force locked users.
Added ability to toggle user active status directly from the People page.
Moved lockout settings from environment variables to database so admins can configure the lockout thresholds directly in the UI.

Thanks to xet7.
This commit is contained in:
Lauri Ojansivu 2025-08-05 00:31:43 +03:00
parent 0132b801b2
commit ae0d059b6f
13 changed files with 912 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

47
client/components/settings/lockedUsersBody.css Normal file
View file

@ -0,0 +1,47 @@
.text-red {
color: #e74c3c;
}
td i.fa-lock.text-red,
li i.fa-lock.text-red {
margin-right: 5px;
}
.locked-users-table {
width: 100%;
border-collapse: collapse;
margin: 15px 0;
}
.locked-users-table th,
.locked-users-table td {
padding: 8px;
text-align: left;
border-bottom: 1px solid #ddd;
}
.locked-users-table th {
background-color: #f2f2f2;
font-weight: bold;
}
.locked-users-table tr:hover {
background-color: #f5f5f5;
}
.loading-indicator {
padding: 10px;
text-align: center;
}
.loading-indicator i {
margin-right: 5px;
}
.locked-users-settings {
padding: 0 10px;
}
button.js-unlock-all-users {
margin-bottom: 20px;
}

175
client/components/settings/lockedUsersBody.js Normal file
View file

@ -0,0 +1,175 @@
import { ReactiveCache } from '/imports/reactiveCache';
import LockoutSettings from '/models/lockoutSettings';
BlazeComponent.extendComponent({
onCreated() {
this.lockedUsers = new ReactiveVar([]);
this.isLoadingLockedUsers = new ReactiveVar(false);
// Don't load immediately to prevent unnecessary spinner
// The data will be loaded when the tab is selected in peopleBody.js switchMenu
},
refreshLockedUsers() {
// Set loading state initially, but we'll hide it if no users are found
this.isLoadingLockedUsers.set(true);
Meteor.call('getLockedUsers', (err, users) => {
if (err) {
this.isLoadingLockedUsers.set(false);
const reason = err.reason || '';
const message = `${TAPi18n.__(err.error)}\n${reason}`;
alert(message);
return;
}
// If no users are locked, don't show loading spinner and set empty array
if (!users || users.length === 0) {
this.isLoadingLockedUsers.set(false);
this.lockedUsers.set([]);
return;
}
// Format the remaining time to be more human-readable
users.forEach(user => {
if (user.remainingLockTime > 60) {
const minutes = Math.floor(user.remainingLockTime / 60);
const seconds = user.remainingLockTime % 60;
user.remainingTimeFormatted = `${minutes}m ${seconds}s`;
} else {
user.remainingTimeFormatted = `${user.remainingLockTime}s`;
}
});
this.lockedUsers.set(users);
this.isLoadingLockedUsers.set(false);
});
},
unlockUser(event) {
const userId = $(event.currentTarget).data('user-id');
if (!userId) return;
if (confirm(TAPi18n.__('accounts-lockout-confirm-unlock'))) {
Meteor.call('unlockUser', userId, (err, result) => {
if (err) {
const reason = err.reason || '';
const message = `${TAPi18n.__(err.error)}\n${reason}`;
alert(message);
return;
}
if (result) {
alert(TAPi18n.__('accounts-lockout-user-unlocked'));
this.refreshLockedUsers();
}
});
}
},
unlockAllUsers() {
if (confirm(TAPi18n.__('accounts-lockout-confirm-unlock-all'))) {
Meteor.call('unlockAllUsers', (err, result) => {
if (err) {
const reason = err.reason || '';
const message = `${TAPi18n.__(err.error)}\n${reason}`;
alert(message);
return;
}
if (result) {
alert(TAPi18n.__('accounts-lockout-user-unlocked'));
this.refreshLockedUsers();
}
});
}
},
saveLockoutSettings() {
// Get values from form
const knownFailuresBeforeLockout = parseInt($('#known-failures-before-lockout').val(), 10) || 3;
const knownLockoutPeriod = parseInt($('#known-lockout-period').val(), 10) || 60;
const knownFailureWindow = parseInt($('#known-failure-window').val(), 10) || 15;
const unknownFailuresBeforeLockout = parseInt($('#unknown-failures-before-lockout').val(), 10) || 3;
const unknownLockoutPeriod = parseInt($('#unknown-lockout-period').val(), 10) || 60;
const unknownFailureWindow = parseInt($('#unknown-failure-window').val(), 10) || 15;
// Update the database
LockoutSettings.update('known-failuresBeforeLockout', {
$set: { value: knownFailuresBeforeLockout },
});
LockoutSettings.update('known-lockoutPeriod', {
$set: { value: knownLockoutPeriod },
});
LockoutSettings.update('known-failureWindow', {
$set: { value: knownFailureWindow },
});
LockoutSettings.update('unknown-failuresBeforeLockout', {
$set: { value: unknownFailuresBeforeLockout },
});
LockoutSettings.update('unknown-lockoutPeriod', {
$set: { value: unknownLockoutPeriod },
});
LockoutSettings.update('unknown-failureWindow', {
$set: { value: unknownFailureWindow },
});
// Reload the AccountsLockout configuration
Meteor.call('reloadAccountsLockout', (err, ret) => {
if (!err && ret) {
const message = TAPi18n.__('accounts-lockout-settings-updated');
alert(message);
} else {
const reason = err?.reason || '';
const message = `${TAPi18n.__(err?.error || 'error-updating-settings')}\n${reason}`;
alert(message);
}
});
},
knownFailuresBeforeLockout() {
return LockoutSettings.findOne('known-failuresBeforeLockout')?.value || 3;
},
knownLockoutPeriod() {
return LockoutSettings.findOne('known-lockoutPeriod')?.value || 60;
},
knownFailureWindow() {
return LockoutSettings.findOne('known-failureWindow')?.value || 15;
},
unknownFailuresBeforeLockout() {
return LockoutSettings.findOne('unknown-failuresBeforeLockout')?.value || 3;
},
unknownLockoutPeriod() {
return LockoutSettings.findOne('unknown-lockoutPeriod')?.value || 60;
},
unknownFailureWindow() {
return LockoutSettings.findOne('unknown-failureWindow')?.value || 15;
},
lockedUsers() {
return this.lockedUsers.get();
},
isLoadingLockedUsers() {
return this.isLoadingLockedUsers.get();
},
events() {
return [
{
'click button.js-refresh-locked-users': this.refreshLockedUsers,
'click button#refreshLockedUsers': this.refreshLockedUsers,
'click button.js-unlock-user': this.unlockUser,
'click button.js-unlock-all-users': this.unlockAllUsers,
'click button.js-lockout-save': this.saveLockoutSettings,
},
];
},
}).register('lockedUsersGeneral');

84
client/components/settings/peopleBody.css
View file

@ -89,3 +89,87 @@ table tr:nth-child(even) {
#deleteAction {
margin-left: 5% !important;
}
.divLockedUsersFilter {
display: flex;
align-items: center;
margin: 0 15px;
}
.divLockedUsersFilter .flex-container {
display: flex;
align-items: center;
gap: 8px;
}
.divLockedUsersFilter .people-filter {
margin-bottom: 0;
color: #777;
line-height: 34px;
}
.divLockedUsersFilter .user-filter {
border: 1px solid #ccc;
border-radius: 2px;
padding: 4px 8px;
background-color: white;
}
.unlock-all-btn {
margin-left: 15px;
background-color: #e67e22;
color: white;
border: none;
border-radius: 2px;
padding: 5px 10px;
cursor: pointer;
display: flex;
align-items: center;
gap: 5px;
}
.unlock-all-btn:hover {
background-color: #d35400;
}
.account-active-status {
width: 20px;
text-align: center;
}
.js-toggle-active-status {
cursor: pointer;
}
.unlock-all-success {
position: fixed;
top: 10%;
left: 50%;
transform: translateX(-50%);
background-color: #27ae60;
color: white;
padding: 10px 20px;
border-radius: 4px;
z-index: 9999;
box-shadow: 0 2px 10px rgba(0, 0, 0, 0.2);
animation: fadeOut 3s ease-in forwards;
}
@keyframes fadeOut {
0% { opacity: 1; }
70% { opacity: 1; }
100% { opacity: 0; }
}
.account-status {
width: 20px;
text-align: center;
}
.text-green {
color: #27ae60;
}
.js-toggle-lock-status {
cursor: pointer;
}

65
client/components/settings/peopleBody.jade
View file

@ -38,12 +38,28 @@ template(name="people")
button#searchButton
i.fa.fa-search
| {{_ 'search'}}
.divLockedUsersFilter
.flex-container
span.people-filter {{_ 'admin-people-filter-show'}}
select.user-filter#userFilterSelect
option(value="all") {{_ 'admin-people-filter-all'}}
option(value="locked") {{_ 'admin-people-filter-locked'}}
option(value="active") {{_ 'admin-people-filter-active'}}
option(value="inactive") {{_ 'admin-people-filter-inactive'}}
button#unlockAllUsers.unlock-all-btn
i.fa.fa-unlock
| {{_ 'accounts-lockout-unlock-all'}}
.ext-box-right
span {{#unless isMiniScreen}}{{_ 'people-number'}}{{/unless}} #{peopleNumber}
.divAddOrRemoveTeam#divAddOrRemoveTeam
button#addOrRemoveTeam
i.fa.fa-edit
| {{_ 'add'}} / {{_ 'delete'}} {{_ 'teams'}}
else if lockedUsersSetting.get
span
i.fa.fa-lock.text-red
unless isMiniScreen
| {{_ 'accounts-lockout-locked-users'}}
.content-body
.side-menu
@ -60,6 +76,10 @@ template(name="people")
a.js-people-menu(data-id="people-setting")
i.fa.fa-user
| {{_ 'people'}}
li
a.js-locked-users-menu(data-id="locked-users-setting")
i.fa.fa-lock.text-red
| {{_ 'accounts-lockout-locked-users'}}
.main-body
if loading.get
+spinner
@ -69,6 +89,8 @@ template(name="people")
+teamGeneral
else if peopleSetting.get
+peopleGeneral
else if lockedUsersSetting.get
+lockedUsersGeneral
template(name="orgGeneral")
@ -114,6 +136,8 @@ template(name="peopleGeneral")
tr
th
+selectAllUser
th {{_ 'accounts-lockout-status'}}
th {{_ 'admin-people-active-status'}}
th {{_ 'username'}}
th {{_ 'fullname'}}
th {{_ 'initials'}}
@ -232,8 +256,20 @@ template(name="peopleRow")
else
td
input.selectUserChkBox(type="checkbox", id="{{userData._id}}")
td.account-status
if isUserLocked
i.fa.fa-lock.text-red.js-toggle-lock-status(data-user-id=userData._id, data-is-locked="true", title="{{_ 'accounts-lockout-click-to-unlock'}}")
else
i.fa.fa-unlock.text-green.js-toggle-lock-status(data-user-id=userData._id, data-is-locked="false", title="{{_ 'accounts-lockout-user-unlocked'}}")
td.account-active-status
if userData.loginDisabled
i.fa.fa-ban.text-red.js-toggle-active-status(data-user-id=userData._id, data-is-active="false", title="{{_ 'admin-people-user-inactive'}}")
else
i.fa.fa-check-circle.text-green.js-toggle-active-status(data-user-id=userData._id, data-is-active="true", title="{{_ 'admin-people-user-active'}}")
if userData.loginDisabled
td.username <s>{{ userData.username }}</s>
else if isUserLocked
td.username {{ userData.username }}
else
td.username {{ userData.username }}
if userData.loginDisabled
@ -645,3 +681,32 @@ template(name="settingsUserPopup")
// that does now remove member from board, card members and assignees correctly,
// but that should be used to remove user from all boards similarly
// - wekan/models/users.js Delete is not enabled
template(name="lockedUsersGeneral")
.locked-users-settings
h3 {{_ 'accounts-lockout-settings'}}
p {{_ 'accounts-lockout-info'}}
h4 {{_ 'accounts-lockout-known-users'}}
.title {{_ 'accounts-lockout-failures-before'}}
.form-group
input.wekan-form-control#known-failures-before-lockout(type="number", min="1", max="10", placeholder="3" value="{{knownFailuresBeforeLockout}}")
.title {{_ 'accounts-lockout-period'}}
.form-group
input.wekan-form-control#known-lockout-period(type="number", min="10", max="600", placeholder="60" value="{{knownLockoutPeriod}}")
.title {{_ 'accounts-lockout-failure-window'}}
.form-group
input.wekan-form-control#known-failure-window(type="number", min="1", max="60", placeholder="15" value="{{knownFailureWindow}}")
h4 {{_ 'accounts-lockout-unknown-users'}}
.title {{_ 'accounts-lockout-failures-before'}}
.form-group
input.wekan-form-control#unknown-failures-before-lockout(type="number", min="1", max="10", placeholder="3" value="{{unknownFailuresBeforeLockout}}")
.title {{_ 'accounts-lockout-period'}}
.form-group
input.wekan-form-control#unknown-lockout-period(type="number", min="10", max="600", placeholder="60" value="{{unknownLockoutPeriod}}")
.title {{_ 'accounts-lockout-failure-window'}}
.form-group
input.wekan-form-control#unknown-failure-window(type="number", min="1", max="60", placeholder="15" value="{{unknownFailureWindow}}")
button.js-lockout-save.primary {{_ 'save'}}

153
client/components/settings/peopleBody.js
View file

@ -1,4 +1,5 @@
import { ReactiveCache } from '/imports/reactiveCache';
import LockoutSettings from '/models/lockoutSettings';
const orgsPerPage = 25;
const teamsPerPage = 25;
@ -14,14 +15,16 @@ BlazeComponent.extendComponent({
this.error = new ReactiveVar('');
this.loading = new ReactiveVar(false);
this.orgSetting = new ReactiveVar(true);
this.teamSetting = new ReactiveVar(true);
this.peopleSetting = new ReactiveVar(true);
this.teamSetting = new ReactiveVar(false);
this.peopleSetting = new ReactiveVar(false);
this.lockedUsersSetting = new ReactiveVar(false);
this.findOrgsOptions = new ReactiveVar({});
this.findTeamsOptions = new ReactiveVar({});
this.findUsersOptions = new ReactiveVar({});
this.numberOrgs = new ReactiveVar(0);
this.numberTeams = new ReactiveVar(0);
this.numberPeople = new ReactiveVar(0);
this.userFilterType = new ReactiveVar('all');
this.page = new ReactiveVar(1);
this.loadNextPageLocked = false;
@ -92,6 +95,34 @@ BlazeComponent.extendComponent({
this.filterPeople();
}
},
'change #userFilterSelect'(event) {
const filterType = $(event.target).val();
this.userFilterType.set(filterType);
this.filterPeople();
},
'click #unlockAllUsers'(event) {
event.preventDefault();
if (confirm(TAPi18n.__('accounts-lockout-confirm-unlock-all'))) {
Meteor.call('unlockAllUsers', (error) => {
if (error) {
console.error('Error unlocking all users:', error);
} else {
// Show a brief success message
const message = document.createElement('div');
message.className = 'unlock-all-success';
message.textContent = TAPi18n.__('accounts-lockout-all-users-unlocked');
document.body.appendChild(message);
// Remove the message after a short delay
setTimeout(() => {
if (message.parentNode) {
message.parentNode.removeChild(message);
}
}, 3000);
}
});
}
},
'click #newOrgButton'() {
Popup.open('newOrg');
},
@ -104,23 +135,50 @@ BlazeComponent.extendComponent({
'click a.js-org-menu': this.switchMenu,
'click a.js-team-menu': this.switchMenu,
'click a.js-people-menu': this.switchMenu,
'click a.js-locked-users-menu': this.switchMenu,
},
];
},
filterPeople() {
const value = $('#searchInput').first().val();
if (value === '') {
this.findUsersOptions.set({});
} else {
const filterType = this.userFilterType.get();
const currentTime = Number(new Date());
let query = {};
// Apply text search filter if there's a search value
if (value !== '') {
const regex = new RegExp(value, 'i');
this.findUsersOptions.set({
query = {
$or: [
{ username: regex },
{ 'profile.fullname': regex },
{ 'emails.address': regex },
],
});
};
}
// Apply filter based on selected option
switch (filterType) {
case 'locked':
// Show only locked users
query['services.accounts-lockout.unlockTime'] = { $gt: currentTime };
break;
case 'active':
// Show only active users (loginDisabled is false or undefined)
query['loginDisabled'] = { $ne: true };
break;
case 'inactive':
// Show only inactive users (loginDisabled is true)
query['loginDisabled'] = true;
break;
case 'all':
default:
// Show all users, no additional filter
break;
}
this.findUsersOptions.set(query);
},
loadNextPage() {
if (this.loadNextPageLocked === false) {
@ -186,6 +244,16 @@ BlazeComponent.extendComponent({
this.orgSetting.set('org-setting' === targetID);
this.teamSetting.set('team-setting' === targetID);
this.peopleSetting.set('people-setting' === targetID);
this.lockedUsersSetting.set('locked-users-setting' === targetID);
// When switching to locked users tab, refresh the locked users list
if ('locked-users-setting' === targetID) {
// Find the lockedUsersGeneral component and call refreshLockedUsers
const lockedUsersComponent = Blaze.getView($('.main-body')[0])._templateInstance;
if (lockedUsersComponent && lockedUsersComponent.refreshLockedUsers) {
lockedUsersComponent.refreshLockedUsers();
}
}
}
},
}).register('people');
@ -206,8 +274,36 @@ Template.peopleRow.helpers({
userData() {
return ReactiveCache.getUser(this.userId);
},
isUserLocked() {
const user = ReactiveCache.getUser(this.userId);
if (!user) return false;
// Check if user has accounts-lockout with unlockTime property
if (user.services &&
user.services['accounts-lockout'] &&
user.services['accounts-lockout'].unlockTime) {
// Check if unlockTime is in the future
const currentTime = Number(new Date());
return user.services['accounts-lockout'].unlockTime > currentTime;
}
return false;
}
});
// Initialize filter dropdown
Template.people.rendered = function() {
const template = this;
// Set the initial value of the dropdown
Tracker.afterFlush(function() {
if (template.findAll('#userFilterSelect').length) {
$('#userFilterSelect').val('all');
}
});
};
Template.editUserPopup.onCreated(function () {
this.authenticationMethods = new ReactiveVar([]);
this.errorMessage = new ReactiveVar('');
@ -415,6 +511,49 @@ BlazeComponent.extendComponent({
else
document.getElementById("divAddOrRemoveTeam").style.display = 'none';
},
'click .js-toggle-active-status': function(ev) {
ev.preventDefault();
const userId = this.userId;
const user = ReactiveCache.getUser(userId);
if (!user) return;
// Toggle loginDisabled status
const isActive = !(user.loginDisabled === true);
// Update the user's active status
Users.update(userId, {
$set: {
loginDisabled: isActive
}
});
},
'click .js-toggle-lock-status': function(ev){
ev.preventDefault();
const userId = this.userId;
const user = ReactiveCache.getUser(userId);
if (!user) return;
// Check if user is currently locked
const isLocked = user.services &&
user.services['accounts-lockout'] &&
user.services['accounts-lockout'].unlockTime &&
user.services['accounts-lockout'].unlockTime > Number(new Date());
if (isLocked) {
// Unlock the user
Meteor.call('unlockUser', userId, (error) => {
if (error) {
console.error('Error unlocking user:', error);
}
});
} else {
// Lock the user - this is optional, you may want to only allow unlocking
// If you want to implement locking too, you would need a server method for it
// For now, we'll leave this as a no-op
}
},
},
];
},

2
client/components/settings/settingBody.jade
View file

@ -171,6 +171,8 @@ template(name='accountSettings')
label {{_ 'no'}}
button.js-accounts-save.primary {{_ 'save'}}
// Brute force lockout settings moved to People/Locked Users section
template(name='announcementSettings')
ul#announcement-setting.setting-detail
li

16
client/components/settings/settingBody.js
View file

@ -1,6 +1,7 @@
import { ReactiveCache } from '/imports/reactiveCache';
import { TAPi18n } from '/imports/i18n';
import { ALLOWED_WAIT_SPINNERS } from '/config/const';
import LockoutSettings from '/models/lockoutSettings';
BlazeComponent.extendComponent({
onCreated() {
@ -23,6 +24,7 @@ BlazeComponent.extendComponent({
Meteor.subscribe('announcements');
Meteor.subscribe('accessibilitySettings');
Meteor.subscribe('globalwebhooks');
Meteor.subscribe('lockoutSettings');
},
setError(error) {
@ -342,15 +344,23 @@ BlazeComponent.extendComponent({
$set: { booleanValue: allowUserDelete },
});
},
// Brute force lockout settings method moved to lockedUsersBody.js
allowEmailChange() {
return AccountSettings.findOne('accounts-allowEmailChange').booleanValue;
return AccountSettings.findOne('accounts-allowEmailChange')?.booleanValue || false;
},
allowUserNameChange() {
return AccountSettings.findOne('accounts-allowUserNameChange').booleanValue;
return AccountSettings.findOne('accounts-allowUserNameChange')?.booleanValue || false;
},
allowUserDelete() {
return AccountSettings.findOne('accounts-allowUserDelete').booleanValue;
return AccountSettings.findOne('accounts-allowUserDelete')?.booleanValue || false;
},
// Lockout settings helper methods moved to lockedUsersBody.js
allBoardsHideActivities() {
Meteor.call('setAllBoardsHideActivities', (err, ret) => {
if (!err && ret) {