Is there a way that when someone logs in and they provide the correct email address but not the correct password to tell them "Sorry your password is not correct."? Giving them the option to click on Forgot My Password.
Or to put the email address back in the email field.
Then is there a way to restrict/disable a login if someone has tried to login 3 times and failed?
I am days away from launching a new site on SS and I'm totaly excited about all that can be done with SS. Great job who ever conceived SS.
Not sure on this one, but both requests probably require serious modification (especially the three strikes one).
I will say from experience that telling a user what portion of their login credentials are incorrect instantly makes your login half as secure. And that's exactly what I would tell my client if they are asking for this.
There is some functionality along the lines of disabling login for a given username after so many failed login attempts. It doesn't appear to be mentioned on the docs site but you can find it mentioned in the [url=http://api.silverstripe.org/sapphire/security/Member.html#lock_out_after_incorrect_logins]api docs[/url]. For more understanding of how it works, you might want to look at the source of class [url=http://open.silverstripe.com/browser/modules/sapphire/trunk/security/Member.php]Member[/url].
1.) User register for an account
2.) They get added to a group with the status of disabled
3.) Their request gets reviewed and if approved they status needs to be changed to enabled and an email sent to them.
4.) If they try to login to many times I would like to disable them for 30 minutes or so just so we don't have hackers trying to get into the system. (This happens)
If you're wanting a way to manually clear the lock out, you might try poking around in class Member's source, particularly looking at getCMSFields(). That method currently hides the "LockedOutUntil" field.