[layingback]

I was banned from a new site yesterday due to bad ip - flooding, when I was Admin! I know this is not _supposed_ to happen, but it did, and there were no warning messages for flooding. I was in maintenance mode too - so rather messy fixing things!

But it had happened to me once before, a long time ago, so I went looking. I think I found the cause of admins banning themselves.

Symptoms were that I was using site without problem as user & admin, logged out as admin, went to log straight back in and got Banned: Bad Bot screen. Entry in db showing my IP was for both banned and flooding.

What I think the code does is call Security twice, the second time with membership details. If user is admin, 2nd call gets skipped, so admins don't get banned no matter how fast they click, but the flood action still gets logged from 1st call. So I suspect that if you log out of admin during a logged flooding sequence, the next click - when you are no longer an admin - gets you banned immediately, because the flood count indicates that you already received the warnings (which you didn't actually because you were admin at the time).

Thoughts? Looking for confirmation from the knowledgeable, then if confirmed I'll log as bug.

[Dizfunkshunal]

Sounds like it is working like it was made to. I add all my static ips to the IPs Shield so i dont get banned when i go from admin to reg user to check my work. I get banned easy on any DF site with flood active. Only downfall to having business class internet sometimes its just to fast.

[NanoCaiordo]

A slower delay its in cvs from few weeks already.

Yes there is a glitch with maintenance on, I do have an "ugly' patch already but never committed.

[NanoCaiordo]

I need to add that this glitch may exists only on freshly installed websites, right after the session ends (closing the browser or log out).

I never had a fix but a workaround exists and I want this to be reviewed before it gets released.

layingback yes, a bug report is welcome.

[layingback]

Bug report #1109 submitted.

Thanks for reply Nano. I couldn't think of a straightforward way to prevent. Really need to flush existing list of flood entries for admin at logout, but means a lot of special code for a rather special case.

Work around is obviously to pause for 30 secs between admin logout and log back in, but when you've just logged out but forgotten to turn off Maintenance mode, the urge to quickly log back in is just too great