Bug 21311: Remove locked message from opac-auth.tt

We should not expose more information than needed when someone tries
to login with invalid credentials. Saying that an account is locked
reveals that the account exists (or perhaps an email address).

Trivial fix. Keeping the var too_many_login_attempts for staff.
Note: We do not remove this distinction for the staff client here (in the
assumption that a library may well have additional security measures in
place for staff client). But it could be done too (on another report).

Test plan:
Enable lockout feature.
Enter invalid credentials until account locks out (on OPAC !!)
Note that message does no longer change to 'Account is locked'.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
index 765a6d5..5c7622e 100644 (file)
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-auth.tt
@@ -57,19 +57,10 @@
                             [% END %]
 
 
-                            [% IF too_many_login_attempts %]
+                            [% IF invalid_username_or_password || too_many_login_attempts %]
+                                <!-- This is what is displayed if user doesnt have permission or account is locked. (Do not expose more information than needed.) -->
                                 <div class="alert alert-info">
-                                This account has been locked!
-                                [% IF Koha.Preference('OpacResetPassword') %]
-                                    <a href="/cgi-bin/koha/opac-password-recovery.pl">You must reset your password</a>.
-                                [% ELSE %]
-                                    Please contact a library staff member.
-                                [% END %]
-                                </div>
-                            [% ELSIF invalid_username_or_password %]
-                                <!-- This is what is displayed if user doesnt have permission -->
-                                <div class="alert alert-info">
-                                    <p>You entered an incorrect username or password. Please try again! And remember, passwords are case sensitive.</p>
+                                    <p>You entered an incorrect username or password. Please try again! And remember, passwords are case sensitive. Please contact a library staff member if you continue to have problems.</p>
                                 </div>
                             [% END %]