Closed
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
admin/ui
Describe the bug
When a user is temporarily locked out due to brute force protection and then automatically unlocked after the configured duration, switching the lockout policy to permanent and re-locking the same user does not mark the user as “disabled” in the admin UI, even though the user cannot log in anymore.
Version
26.2.5
Regression
- The issue is a regression
Expected behavior
After re-locking a user under the permanent lockout policy, the user should be visibly marked as “disabled” in the admin UI’s user list.
Actual behavior
The user is permanently locked out and cannot log in, but the “disabled” status/flag is not displayed in the user list. This creates confusion and makes it harder for administrators to identify locked-out users.
How to Reproduce?
How to reproduce:
- Configure brute force protection with a temporary lockout policy.
- Trigger brute force protection by submitting multiple invalid login attempts for user X.
- Wait until the user is automatically unlocked after the configured wait period.
- Do not perform any actions on user X or log in with the user.
- Change the brute force configuration to use permanent lockout.
- Again, initiate multiple invalid login attempts for user X to trigger lockout.
- User X is now permanently locked out, but the user is not marked as disabled in the admin UI.
Anything else?
No response