Document user lock due to failed sign-in attempts
We have user lockout console reset instructions documented at https://docs.gitlab.com/ee/security/unlock_user.html. However, we don't seem to have more general user lockout documentation.
I suspect we should create a new page within doc/administration/
, explaining what leads to a lockout (10 failed sign-in attempts) and that the lock will automatically reset in 10 minutes. There is also an email sent to the user explaining this, as well as a link to unlock immediately.
Original description
Problem
I'm using GitLab Community Edition Omnibus. After using GitLab for over 6 years. It is the first time I've encountered a locked user. There is no indication of this state under the Admin UI (we are on 13.12.5) nor is there a path to resolution.
I found this page on unlocking a user via the console. That resolves the issue for the user, but it's not intuitive.
Proposal
There are 2 issues to be addressed:
- Under the Admin UI (probably under
/admin/users
) there should be some indication that a user is locked. One may argue that it isn't necessary because the user will alert an administrator to get the lock resolved. But for the following proposal, it would be necessary.- Add
(Locked)
after the user's name
- Add
- A mean to unlock a locked user via the UI, rather than the console.
From the documentation, this state is triggered by 10 failed login attempts. Does it self correct after some grace period? The documentation doesn't say, so I assume it doesn't. For some one not versed in Ruby on Rails, the console method is obtuse, and it isn't obvious if it had worked.
It self-corrects after 10 minutes. This should be added to the documentation