Locking out users

[pddocs]

Currently, when any user successively enters wrong user credentials (username, user password, or wrong 2fa code), the account gets locked as expected. However, they face some roadblocks:

• On the login page, they only see this error log in page (see image below). They find out they are locked out currently only when they access their inbox and see the Uwazi email notification.
  

• On clicking the link in the email, the user comes back to the login page (see screencast below). If the expectation is to click on Forgot Password, how can it be communicated clearly to the user?

Locked.Account.mov

• Related to second point, what if the user enters wrong user name with right password? The Forgot Password does not work. In that case, how can the user know that they need to contact an admin user to unlock them from the Settings?

@roirobo

[roirobo]

My two cents here:

• By stating in the error message on the login page that the user has been blocked, this could incur a security risk in a scenario of a potential attack on the instance.
• Ideally, the Uwazi email notification should include the username.

[RafaPolit]

The product team will discuss the User Experience process to correctly reflect what should be the right wording, what system should be used to explain the process (the forgot password text could include "unblock user", or the email could mention to follow the forgot password process, etc.