Re: Bug #6337 Patch

On Thu, Jul 22, 2021 at 3:05 PM Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com>
wrote:

> On Thu, Jul 22, 2021 at 2:01 PM Dave Page <dpage(at)pgadmin(dot)org> wrote:
>
>>
>>
>> On Thu, Jul 22, 2021 at 9:19 AM Ashesh Vashi <
>> ashesh(dot)vashi(at)enterprisedb(dot)com> wrote:
>>
>>> On Thu, Jul 22, 2021 at 12:27 PM Akshay Joshi <
>>> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>>>
>>>> Hi Florian
>>>>
>>>> Thanks, the patch applied.
>>>>
>>>> I have changed the flash string from 'Account locked' to 'Your account
>>>> is locked. Please contact the Administrator.'
>>>>
>>> I have a scenario.
>>> I have only one user in pgAdmin.
>>>
>>> What would happen then?
>>> + Does it lock that user too?
>>>
>>
>> Yes.
>>
>>
>>> + If yes - do we have information in the document to unlock that user?
>>>
>>
>> I hope so :-p
>>
> Akshay?
>

Will check, if not there I'll update the documentation.

>
> -- Ashesh
>
>>
>>
>>>
>>> I am also curious about another case. A hacker can use multiple users
>>> for the same.
>>> Should we also lock/avoid requests from a particular ip-address/machine
>>> for X minutes/hours?
>>>
>>
>> That's more difficult to deal with - there are common deployment
>> scenarios where all connections might appear to come from a single IP, for
>> example, when behind a load balancer (there are good reasons to do that,
>> even with a single pgAdmin instance) or proxy. In such cases we may or may
>> not get an X-Forwarded-For header, and even if we do it may not be reliable.
>>
>>
>> --
>> Dave Page
>> Blog: https://pgsnake.blogspot.com
>> Twitter: @pgsnake
>>
>> EDB: https://www.enterprisedb.com
>>
>>

--
*Thanks & Regards*
*Akshay Joshi*
*pgAdmin Hacker | Principal Software Architect*
*EDB Postgres <http://edbpostgres.com>*

*Mobile: +91 976-788-8246*