From 5e5aec2364373246145ca59d1df200f67bdfc90e Mon Sep 17 00:00:00 2001
From: Mike McKay <mfmckay@wustl.edu>
Date: Thu, 15 Sep 2016 15:45:06 -0500
Subject: [PATCH] Prevented guest user from getting locked out due to
 inactivity or invalid logins.

---
 src/main/java/org/nrg/xnat/security/DisableInactiveUsers.java | 3 ++-
 src/main/java/org/nrg/xnat/security/XnatProviderManager.java  | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/nrg/xnat/security/DisableInactiveUsers.java b/src/main/java/org/nrg/xnat/security/DisableInactiveUsers.java
index 8dc949b3..6db3c221 100644
--- a/src/main/java/org/nrg/xnat/security/DisableInactiveUsers.java
+++ b/src/main/java/org/nrg/xnat/security/DisableInactiveUsers.java
@@ -64,7 +64,8 @@ public class DisableInactiveUsers implements Runnable {
                     final UserI u = Users.getUser(username);
 
                     // Fixes XNAT-2407. Only disable user if they have not been recently modified (enabled).
-                    if (!hasUserBeenModified(u, _inactivityBeforeLockout)) {
+                    // Also do not disable the guest user.
+                    if (!hasUserBeenModified(u, _inactivityBeforeLockout) && !username.equals("guest")) {
                         u.setEnabled("0");
                         u.setVerified("0");
                         Users.save(u, adminUser, false, EventUtils.newEventInstance(EventUtils.CATEGORY.SIDE_ADMIN, EventUtils.TYPE.PROCESS, "Disabled due to inactivity"));
diff --git a/src/main/java/org/nrg/xnat/security/XnatProviderManager.java b/src/main/java/org/nrg/xnat/security/XnatProviderManager.java
index dcd35888..1bbc6848 100644
--- a/src/main/java/org/nrg/xnat/security/XnatProviderManager.java
+++ b/src/main/java/org/nrg/xnat/security/XnatProviderManager.java
@@ -332,7 +332,7 @@ public class XnatProviderManager extends ProviderManager {
          */
         private synchronized void addFailedLoginAttempt(final Authentication auth) throws SiteConfigurationException {
             XdatUserAuth ua = _manager.getUserByAuth(auth);
-            if (ua != null) {
+            if (ua != null && !ua.getXdatUsername().equals("guest")) {
                 if (XDAT.getSiteConfigPreferences().getMaxFailedLogins() > 0) {
                     ua.setFailedLoginAttempts(ua.getFailedLoginAttempts() + 1);
                     ua.setLastLoginAttempt(new Date());
-- 
GitLab