From f0085ef43e0831c06aded90b06b2ba197482265a Mon Sep 17 00:00:00 2001
From: Ludovic Marcotte <lmarcotte@inverse.ca>
Date: Wed, 14 Dec 2016 21:20:29 -0500
Subject: [PATCH] (fix) correctly block if fail count is within interval (fixes
 #2850)

---
 SoObjects/SOGo/SOGoCache.m       |  2 ++
 SoObjects/SOGo/SOGoUserManager.m | 14 ++++++++------
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/SoObjects/SOGo/SOGoCache.m b/SoObjects/SOGo/SOGoCache.m
index dcb570cdd..a4c1d509b 100644
--- a/SoObjects/SOGo/SOGoCache.m
+++ b/SoObjects/SOGo/SOGoCache.m
@@ -505,6 +505,8 @@ static memcached_st *handle = NULL;
         {
           [d setObject: [NSNumber numberWithUnsignedInt: [[NSCalendarDate date] timeIntervalSince1970]] forKey: @"InitialDate"];
         }
+
+      [d setObject: [NSNumber numberWithUnsignedInt: [[NSCalendarDate date] timeIntervalSince1970]] forKey: @"LastRequestDate"];
       
       [d setObject: count  forKey: @"FailedCount"];
       [self _cacheValues: [d jsonRepresentation]
diff --git a/SoObjects/SOGo/SOGoUserManager.m b/SoObjects/SOGo/SOGoUserManager.m
index 4c86b4793..8af8e73f6 100644
--- a/SoObjects/SOGo/SOGoUserManager.m
+++ b/SoObjects/SOGo/SOGoUserManager.m
@@ -531,9 +531,9 @@ static Class NSNullK;
               grace: (int *) _grace
            useCache: (BOOL) useCache
 {
+  NSString *dictPassword, *username, *jsonUser;
   NSMutableDictionary *currentUser;
   NSDictionary *failedCount;
-  NSString *dictPassword, *username, *jsonUser;
   SOGoSystemDefaults *sd;
   BOOL checkOK;
 
@@ -573,23 +573,25 @@ static Class NSNullK;
   failedCount = [[SOGoCache sharedCache] failedCountForLogin: username];
   if (failedCount)
     {
-      unsigned int current_time, start_time, delta, block_time;
+      unsigned int current_time, last_request_time, start_time, delta_start, delta_last_request, block_time;
 
       current_time = [[NSCalendarDate date] timeIntervalSince1970];
       start_time = [[failedCount objectForKey: @"InitialDate"] unsignedIntValue];
-      delta = current_time - start_time;
+      last_request_time = [[failedCount objectForKey: @"LastRequestDate"] unsignedIntValue];
+      delta_start = current_time - start_time;
+      delta_last_request = current_time - last_request_time;
 
       block_time = [sd failedLoginBlockInterval];
 
       if ([[failedCount objectForKey: @"FailedCount"] intValue] >= [sd maximumFailedLoginCount] &&
-          delta >= [sd maximumFailedLoginInterval] &&
-          delta <= block_time )
+          delta_last_request >= [sd maximumFailedLoginInterval] &&
+          delta_start <= block_time )
         {
           *_perr = PolicyAccountLocked;
           return NO;
         }
 
-      if (delta > block_time)
+      if (delta_start > block_time)
         {
           [[SOGoCache sharedCache] setFailedCount: 0
                                          forLogin: username];