Problem/Motivation
After multiple failed login attempts (default set to 5 tries), a user can no longer login until a certain amount is time passed (default set to 6 hours), and instead sees the message "There have been more than 5 failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.". When a user uses the one-time login link to log in, then changes his/her password and logs out, the temporary block is still in place, the user cannot still cannot log in until the window has passed.
There is no way (other than removing the flood records from the database, or through contrib solutions #67) to remove the temporary ban (implemented through the Flood API) from the account.
This issue is about lifting the ban after a successful login through the reset password functionality. There is a separate issue to lift the ban after an account's password is changed (#2881572: User login flood lock doesn't clear when reset password as admin).
Proposed resolution
When a user logs in using the one-time login link, the temporary ban on the account should be lifted. The IP-based ban, if present, should remain in place (#35).
Remaining tasks
Patch review.
User interface changes
None.
API changes
None.
Data model changes
None.
Original report by jazzdrive3
I have a user who forgot his password, and he started getting the "5 failed attempts" message. So I go in and reset the password manually as an admin.
But the new password will not work, and he continues to get the "5 failed attempts" message. The only thing we could do was delete his user, then recreate it.
Once their password has been changed in the interface by an admin, it should clear the security block, correct? Or is there a manual way to clear the security block? Because the user still says "active".