From 8a8feead27c786ce872417cae7bd391f46e95675 Mon Sep 17 00:00:00 2001 From: Daniel Kesselberg Date: Wed, 1 Jul 2026 10:56:25 +0200 Subject: [PATCH] fix(bruteforce): Don't throttle requests with failing CSRF Signed-off-by: Daniel Kesselberg --- core/Controller/LoginController.php | 1 + tests/Core/Controller/LoginControllerTest.php | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php index 1a105130785..23bc0c74ed9 100644 --- a/core/Controller/LoginController.php +++ b/core/Controller/LoginController.php @@ -319,6 +319,7 @@ class LoginController extends Controller { // case when a user has already logged-in, in another tab. return $this->generateRedirect($redirect_url); } + $throttle = false; $error = self::LOGIN_MSG_CSRFCHECKFAILED; } diff --git a/tests/Core/Controller/LoginControllerTest.php b/tests/Core/Controller/LoginControllerTest.php index 7f3333172ff..173c17be187 100644 --- a/tests/Core/Controller/LoginControllerTest.php +++ b/tests/Core/Controller/LoginControllerTest.php @@ -597,7 +597,6 @@ class LoginControllerTest extends TestCase { $response = $this->loginController->tryLogin($loginChain, $trustedDomainHelper, 'Jane', $password, $rememberme, $originalUrl); $expected = new RedirectResponse(''); - $expected->throttle(['user' => 'Jane']); $this->assertEquals($expected, $response); }