backdrop
[D7] Clear the "5 failed login attempts" security message when a user resets their own password (d.o #2880910)
From https://www.drupal.org/project/drupal/issues/2880910 (backport from D8 to D7):
If a user forgets their password and tries to log in 5 times then they get blocked by flood control. They can now use the password reset functionality per email, but once they log out shortly after that they are still blocked when trying to log in again.
Proposed resolution Clear the user specific flood events once they used the password recet functionality so that they are able to normally log in again. Do not clear IP address specific flood events because then an attacker with a valid account could clear flood events for victim user accounts.
https://git.drupalcode.org/project/drupal/-/commit/80cc74478787cf200479623f24fdea2b298ff76d
@argiepiano I've got a PR. It's a little bit different from the D7 version because of previous changes in Backdrop.
@herbdool - I followed the steps in the original issue on a default site and recreated the problem. I then tried again with a local site using your PR and the problem was fixed for me.
After resetting my password, I was able to logout and login again immediately aftwards with my new password. Despite being previously blocked.
Do you think I need to test anything else? Marking this WFM.
I have tested the PR as a patch on a local site and also confirm it works as expected. This was with Backdrop 1.28.0-preview.
Very nice @herbdool! I merged https://github.com/backdrop/backdrop/pull/4675 into 1.x and 1.28.x. Thank you @stpaultim and @izmeez for reviewing!
