From df8d2806e68709d052fad66cf0146f8683685b55 Mon Sep 17 00:00:00 2001
From: Roland Osborne <roland.osborne@gmail.com>
Date: Wed, 22 May 2024 15:52:19 -0700
Subject: [PATCH] apply temporary lock only when mfa enabled

---
 net/server/internal/api_setAdminAccess.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/server/internal/api_setAdminAccess.go b/net/server/internal/api_setAdminAccess.go
index 3e514a66..8e7a5793 100644
--- a/net/server/internal/api_setAdminAccess.go
+++ b/net/server/internal/api_setAdminAccess.go
@@ -26,14 +26,14 @@ func SetAdminAccess(w http.ResponseWriter, r *http.Request) {
   curTime := time.Now().Unix()
   failedTime := getNumConfigValue(CNFMFAFailedTime, 0);
   failedCount := getNumConfigValue(CNFMFAFailedCount, 0);
-  if failedTime + APPMFAFailPeriod > curTime && failedCount > APPMFAFailCount {
-    ErrResponse(w, http.StatusTooManyRequests, errors.New("temporarily locked"))
-    return;
-  }
-
   mfaEnabled := getBoolConfigValue(CNFMFAEnabled, false);
   mfaConfirmed := getBoolConfigValue(CNFMFAConfirmed, false);
   if mfaEnabled && mfaConfirmed {
+    if failedTime + APPMFAFailPeriod > curTime && failedCount > APPMFAFailCount {
+      ErrResponse(w, http.StatusTooManyRequests, errors.New("temporarily locked"))
+      return;
+    }
+
     code := r.FormValue("code")
     if code == "" {
       ErrResponse(w, http.StatusMethodNotAllowed, errors.New("totp code required"))