I used Login Security module to block users after some login failures. It works fine however I need to unblock such users after certain time like after 1 hour/day. How would I do that as it has configurations to delete attempt from database but user isn't unblocked and it has to be active manually.
Please see below attached screen shot of module configuration.
you can use the following modules for managing blocked users. These help you in unblocking the user via admin UI. The modules are flood_control and flood_unblock
Url's to download the modules are https://www.drupal.org/project/flood_control https://www.drupal.org/project/flood_unblock
A small module named as Auto Unblock Users to unblock users.
Related
I am creating an AdminUI for my users where I set all the permission. As part of the requirements, every time that a user logins on my IdentityServer I need to set some default permissions, but those are handle on my Admin application. Which is the best way to raise an event to let that application that a user was created on the IdentityServer?
The simplest is i think to create a simple WebApi in IdentityServer that returns the latest users and then let the other application poll this API every X seconds. In that way the system is cleanly decoupled. Perhaps expose the data as a a RSS XML document or a JSON list of items.
There is a built in eventing model in IdentityServer that you could use and push notifications to the Admin application. But push is a bit more complicated to get right, especially how to deal with all the failre/error cases.
I's suggest to add a custom event sink to process UserLoginSuccessEvent or any other event you need, here is list of all builtin events. Find their code here.
In the custom sink as suggested in the other answer you can call an API on admin app to inform it about changes.
Here is a sample for custom sink.
I think to keep two applications decoupled you better to setup a service-bus for simple implementation a sub/pub mechanism. when any user complete registration(or any other actions),then as mentioned in another answer handle the events and add message. admin UI should subscribed before to receive these messages with some information to create a user related data.
I want to be able to make it so a registered user can only be logged into the DNN site from one device/browser at any one time.
I understand that the DNN core doesn't support sessions but does have a a users online table which is checked by the scheduler, however i have been unable to find anything available to use this method.
The main purpose is to stop a paid user from sharing their login details with multiple people and thereby diluting the potential revenue to the site. I would think this was not a unique use case and someone must have dealt with this previously.
Open to any and all ideas including commercial modules.
I suppose that you could create a custom login module, and reject logins from a user who appear as active in the UsersOnline table.
I haven't looked around to see what methods are available, but the old usersonline module should provide some hints.
I'm building an application using AngularJS and usin Auth0 for authentication.
I wish to let the user know when Caps Lock is enabled. Same as when we log into Windows; the yellow string that says Caps Lock is on. So that he doesn't waste his time typing-in his password in caps.
I also wish to have a functionality which would let user see his password while typing (Show Password).
I went to the Auth0 customization page and could not find any property that I can put on in window.Auth0.signIn({}); to observe the desired effect.
For angular.js I used this neat thing:
https://github.com/FabioMR/ng-caps-lock
The Auth0 hosted login page, by default, uses Lock to provide the authentication process. There is some degree of customization that you can perform simply by configuring Lock itself.
However, for complete control of the authentication experience you can fully customize the login page, including providing authentication through other means than Lock. In this scenario, you'll be able to have the exact UX that you want and meet your requirements for a CAPS LOCK indicator and show password option.
I'm working on a 100% ExtJS application; the browser downloads all the JavaScript and a single HTML file once; everything runs in the browser after that.
When all the panels are rendered at startup (i.e., when Ext.onReady() fires) I need some panels to be hidden depending on the user's permissions. Is there a common/best practice for configuring the GUI at startup depending on user permissions?
I think one solution might be to have some panels hidden by default. An AJAX call could be made at startup to get user permissions, and then panels could be un-hidden depending on those permissions. However, I suspect there are better solutions.
Any tips would be greatly appreciated.
Note: I understand that the front-end javascript can't be trusted as the sole mechanism for security checks and that the backend application would need to verify all the actions received from the front-end.
Why not just write a server-side script that outputs privileged client-side code based on the user's authentication status? Instead of having your client-side code fetch permission data and branch on them, just have the client-side hit a script that outputs the appropriate javascript.
So if you've got a special "SuperAdminPanel" component, the only way the client ever sees the code is if they hit your authentication-aware user-js script, and are recognized as a super-admin.
In the general case, such a script could just echo out the appropriate script for the currently-authenticated user's level. It could easily be extended to pass code or configuration specific to individual users, as well.
I want to get the privileges of a selected user on a local machine. I know how to get them from the current user, so my problem is how to open a process as as a different user.
I'm currently looking for more info about CreateProcessAsUser()
thanks
You shouldnt create a process as a different user just to get his priviledges. To get an user priviledges you need an iudentity token. To start a process as an user you need an impersonate token. Idenity tokens are very low security risk, impersonation tokens on the other hand are very serious business. At the very least, you need to know the password of the user in order to impersonate (or have an impesonation capable context, like an SSPI exchange security context).
Use LookupAccountName to get the SID, LsaOpenPolicy and LsaEnumerateAccountRights.
Check this link for how to do this from a service within Delphi: Launch your application in Vista under the local system account without the UAC popup
To launch a process under the local
system account I perform the following
steps (from a service application):
Get the Active Console SessionId using WTSGetActiveConsoleSessionId
Since I need to launch the application under a system account, I
use the token from Winlogon, since
Winlogon runs under the system
account. So I obtain the process ID of
Winlogon and Duplicate the token.
Then I make sure I sent the startupinfo parameter lpDesktop to
winsta0\Default since I need to launch
my process there.
Then I use CreateProcessAsUser with Winlogon's duplicate token to
launch my process into session 1.
That's all. I am done.