- Issue created by @Anybody
- π¨π¦Canada bdunphy
This issue just occurred for a site we maintain. The IP address in the whitelist was blocked. Removed from the IP address bans list and with just one more failed login attempt, the IP was again banned. The whitelist functionality does not seem to be fully tested.
- π©πͺGermany Anybody Porta Westfalica
Thanks for the confirmation @bdunphy, then let's make this major
- Assigned to anish.ir
- π©πͺGermany Anybody Porta Westfalica
@anish.ir any further plans? Else please unassign.
Hey @anybody,
Sorry for the delay in responding.
I have tested the module and found that the IP whitelist functionality on
/admin/config/people/flood-controlis working as expectedβwhitelisted IPs are not being blocked. However, these IPs are still appearing on the/admin/people/flood-unblockpage, which might be causing confusion.To address this, we have two possible approaches:
Hide whitelisted IPs from the Flood Unblock page, but keep them in the flood table
- This would allow us to maintain a historical record of failed login attempts for whitelisted IPs.
- If needed, removing an IP from the whitelist would make its past login attempts visible again on the Flood Unblock page.
Completely exclude whitelisted IPs from both the Flood Unblock page and the flood table
- This would ensure that whitelisted IPs are never recorded in the flood system at all.
- However, it would also mean losing any history of failed login attempts for these IPs.
Would love to hear your thoughts on which approach aligns best with the intended behaviour of the module. Let me know how you'd like to proceed! Or is there any other approach you would like to be followed.
Thanks!
- π¨π¦Canada bdunphy
@anish.ir - from my perspective, if an IP is whitelisted, it should not be recorded. I lean towards the second option to completely exclude whitelisted IPs from the Flood Unblock page and the flood table.
- Merge request !56Issue #3457382: Removed re-listing of whitelisted IPs. β (Open) created by anish.ir
Hey,
I have raised the merge request with the required changes.
With this update, any IP added to the whitelist will no longer be logged in the flood table or appear on the /flood-unblock page. Additionally, when a new IP is added to the whitelist, any existing flood entries for that IP will be removed from both the flood table and the /flood-unblock page.Let me know if you'd like any further refinements!
Thanks !!- π³π±Netherlands batigolix Utrecht
I feel there are issues being mixed up here:
1. IPs are being added to the flood table even after they have been white listed. This means the white listing functionality isn't working properly and that should be addressed.
2. White listed IPs are being shown in /admin/people/flood-unblock , because at the time of recording they were not white listed. This is working as a designed. The list at /admin/people/flood-unblock shows what is in Drupal core's flood table. We should not filter anything away (even white listed IPs) or remove anything without the user's knowing about this. The user already has the option to remove items from the table, so i so we don't need to do that, so we don't need to do that in the background.
If you provide a patch, then ensure that it only addresses problem 1: of white listed IPs still ending up in the flood table after they having been white listed.
Is there more information on how this problem can be reproduced?
- π©πͺGermany Anybody Porta Westfalica
Just seem to have run into the (1) issue. While the IP was already whitelisted (and I'm quite sure, I removed it from
/admin/people/flood-unblock, it has now been blocked (1) and listed (2) again, after some months. Still, I'm not sure how that could happen.Any other modules that might add the IP and ignore the whitelist perhaps?