From bcfe20dd2b87d4af068ebde48b8285640dacdbfd Mon Sep 17 00:00:00 2001
From: Cameron <e107inc@gmail.com>
Date: Sun, 12 Apr 2015 22:34:44 -0700
Subject: [PATCH] Allow admin to set a failed-login attempt limit before
 auto-banning occurs.

---
 e107_admin/prefs.php           |  7 +++++++
 e107_handlers/form_handler.php |  8 +++++---
 e107_handlers/login.php        | 15 +++++++++------
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/e107_admin/prefs.php b/e107_admin/prefs.php
index bdb56ee30..1543aa205 100644
--- a/e107_admin/prefs.php
+++ b/e107_admin/prefs.php
@@ -2005,6 +2005,13 @@ $text .= "
 							<div class='field-help'>".PRFLAN_91."</div>
 						</td>
 					</tr>
+					<tr>
+						<td><label for='failed-login-limit'>Maximum failed logins before ban:</label></td>
+						<td>
+							".$frm->number('failed_login_limit', varset($pref['failed_login_limit'],10), 3, array('max'=>10, 'min'=>0))."
+							<div class='smalltext field-help'>Failed logins from the same IP will be banned after this many attempts.</div>
+						</td>
+					</tr>
 					<tr>
 						<td><label for='adminpwordchange'>".PRFLAN_139.":</label></td>
 						<td>
diff --git a/e107_handlers/form_handler.php b/e107_handlers/form_handler.php
index dfd26557b..90c2d87a0 100644
--- a/e107_handlers/form_handler.php
+++ b/e107_handlers/form_handler.php
@@ -440,11 +440,13 @@ class e_form
 		$options['type'] ='number';
 		
 		$mlength = vartrue($maxlength) ? "maxlength=".$maxlength : "";
-				
+
+		$min = varset($options['min']) ? 'min="'.$options['min'].'"' : '';
+		$max = vartrue($options['max']) ? 'max="'.$options['max'].'"' : '';
+
 		$options = $this->format_options('text', $name, $options);
 		
-		$min = vartrue($options['min']) ? 'min="'.$options['min'].'"' : '';
-		$max = vartrue($options['max']) ? 'min="'.$options['max'].'"' : '';
+
 		
 		//never allow id in format name-value for text fields
 		if(deftrue('BOOTSTRAP'))
diff --git a/e107_handlers/login.php b/e107_handlers/login.php
index 0e17f2724..ccdb00b61 100644
--- a/e107_handlers/login.php
+++ b/e107_handlers/login.php
@@ -534,12 +534,15 @@ class userlogin
 
 		e107::getMessage()->addError(LOGINMESSAGE);	
 
-		if ($doCheck)
-		{		// See if ban required (formerly the checkibr() function)
-			if($pref['autoban'] == 1 || $pref['autoban'] == 3)
-			{ // Flood + Login or Login Only.
+		if ($doCheck) // See if ban required (formerly the checkibr() function)
+		{
+			if($pref['autoban'] == 1 || $pref['autoban'] == 3) // Flood + Login or Login Only.
+			{
 				$fails = $sql->count("generic", "(*)", "WHERE gen_ip='{$this->userIP}' AND gen_type='failed_login' ");
-				if($fails > 10)
+
+				$failLimit = vartrue($pref['failed_login_limit'],10);
+
+				if($fails >= $failLimit)
 				{
 					$time = time();
 					e107::getIPHandler()->add_ban(4,LAN_LOGIN_18,$this->userIP,1);
@@ -548,7 +551,7 @@ class userlogin
 				}
 			}
 		}
-		return FALSE;		// Passed back to signal failed login
+		return false;		// Passed back to signal failed login
 	}