| From: | Dave Page <dpage(at)pgadmin(dot)org> |
|---|---|
| To: | Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com> |
| Cc: | Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com>, Florian Sabonchi <sabonchi(at)posteo(dot)de>, pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org> |
| Subject: | Re: Bug #6337 Patch |
| Date: | 2021-07-22 08:31:08 |
| Message-ID: | CA+OCxozNGoc+yc1XjpEJdse1yWxmvMtKSX8Aobh2yfQCSE=pfA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
On Thu, Jul 22, 2021 at 9:19 AM Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com>
wrote:
> On Thu, Jul 22, 2021 at 12:27 PM Akshay Joshi <
> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>
>> Hi Florian
>>
>> Thanks, the patch applied.
>>
>> I have changed the flash string from 'Account locked' to 'Your account is
>> locked. Please contact the Administrator.'
>>
> I have a scenario.
> I have only one user in pgAdmin.
>
> What would happen then?
> + Does it lock that user too?
>
Yes.
> + If yes - do we have information in the document to unlock that user?
>
I hope so :-p
>
> I am also curious about another case. A hacker can use multiple users for
> the same.
> Should we also lock/avoid requests from a particular ip-address/machine
> for X minutes/hours?
>
That's more difficult to deal with - there are common deployment scenarios
where all connections might appear to come from a single IP, for example,
when behind a load balancer (there are good reasons to do that, even with a
single pgAdmin instance) or proxy. In such cases we may or may not get an
X-Forwarded-For header, and even if we do it may not be reliable.
--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2021-07-22 09:22:31 | Re: Bug #6337 Patch |
| Previous Message | Ashesh Vashi | 2021-07-22 08:19:28 | Re: Bug #6337 Patch |