Hey maintainers! Working on FINERACT-2004 (Login Retry Limit) and wanted to get your thoughts on something.
The core feature is done - accounts lock after N failed attempts, reset on success, toggle on/off via config. All working with tests.
But the ticket mentions "Add this to permissions list to allow granting the same to qualified roles" and I'm not 100% sure what's intended here.
Right now, unlocking a locked user happens through the existing UPDATE_USER permission (admin edits the user). But I'm wondering if the ticket wants a dedicated UNLOCK_USER permission so, say, a help desk person could unlock accounts without having full user-edit access?
If that's the case, I could:
Or if the existing UPDATE_USER flow is fine, I'll just skip the new permission entirely.
What do you think? Happy to go either way.
Jira: https://issues.apache.org/jira/browse/FINERACT-2004
The core feature is done - accounts lock after N failed attempts, reset on success, toggle on/off via config. All working with tests.
But the ticket mentions "Add this to permissions list to allow granting the same to qualified roles" and I'm not 100% sure what's intended here.
Right now, unlocking a locked user happens through the existing UPDATE_USER permission (admin edits the user). But I'm wondering if the ticket wants a dedicated UNLOCK_USER permission so, say, a help desk person could unlock accounts without having full user-edit access?
If that's the case, I could:
- Add the UNLOCK_USER permission seed in this PR
- Create a follow-up ticket for the dedicated unlock endpoint keeping this PR focused.
Or if the existing UPDATE_USER flow is fine, I'll just skip the new permission entirely.
What do you think? Happy to go either way.
Jira: https://issues.apache.org/jira/browse/FINERACT-2004