Re: Bug #6337 Patch

On Thu, Jul 22, 2021 at 2:01 PM Dave Page <dpage@pgadmin.org> wrote:

On Thu, Jul 22, 2021 at 9:19 AM Ashesh Vashi <ashesh.vashi@enterprisedb.com> wrote:

On Thu, Jul 22, 2021 at 12:27 PM Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Hi Florian

Thanks, the patch applied. 

I have changed the flash string from 'Account locked' to 'Your account is locked. Please contact the Administrator.'

I have a scenario.

I have only one user in pgAdmin.

What would happen then?

+ Does it lock that user too?

Yes.

 

+ If yes - do we have information in the document to unlock that user?

I hope so :-p

Akshay?

-- Ashesh 

 

I am also curious about another case. A hacker can use multiple users for the same.

Should we also lock/avoid requests from a particular ip-address/machine for X minutes/hours?

That's more difficult to deal with - there are common deployment scenarios where all connections might appear to come from a single IP, for example, when behind a load balancer (there are good reasons to do that, even with a single pgAdmin instance) or proxy. In such cases we may or may not get an X-Forwarded-For header, and even if we do it may not be reliable.

 

--

Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: https://www.enterprisedb.com