Django

Code

Ticket #6943: 6943-nfa-admin-multiple-emails.2.diff

File 6943-nfa-admin-multiple-emails.2.diff, 3.3 kB (added by Mnewman, 7 months ago)

New patch addressing the idea of e-mail address guessing.

  • django/contrib/admin/sites.py

    old new  
    226226                # Mistakenly entered e-mail address instead of username? Look it up. 
    227227                try: 
    228228                    user = User.objects.get(email=username) 
    229                 except User.DoesNotExist
     229                except (User.DoesNotExist, User.MultipleObjectsReturned)
    230230                    message = _("Usernames cannot contain the '@' character.") 
    231231                else: 
    232                     message = _("Your e-mail address is not your username. Try '%s' instead.") % user.username 
     232                    if user.check_password(password): 
     233                        message = _("Your e-mail address is not your username." 
     234                                    " Try '%s' instead." % user.username)  
     235                    else: 
     236                        message = _("Usernames cannot contain the '@' character.") 
    233237            return self.display_login_form(request, message) 
    234238 
    235239        # The user data is correct; log in the user in and continue. 

  • tests/regressiontests/admin_views/tests.py

    old new  
    4949                     LOGIN_FORM_KEY: 1, 
    5050                     'username': 'super', 
    5151                     'password': 'secret'} 
     52        self.super_email_login = {'post_data': _encode_post_data({}), 
     53                     LOGIN_FORM_KEY: 1, 
     54                     'username': 'super@example.com', 
     55                     'password': 'secret'} 
     56        self.super_email_bad_login = {'post_data': _encode_post_data({}), 
     57                      LOGIN_FORM_KEY: 1, 
     58                      'username': 'super@example.com', 
     59                      'password': 'notsecret'} 
    5260        self.adduser_login = {'post_data': _encode_post_data({}), 
    5361                     LOGIN_FORM_KEY: 1, 
    5462                     'username': 'adduser', 
     
    8391        self.assertFalse(login.context) 
    8492        self.client.get('/test_admin/admin/logout/') 
    8593         
     94        # Test if user enters e-mail address 
     95        request = self.client.get('/test_admin/admin/') 
     96        self.failUnlessEqual(request.status_code, 200) 
     97        login = self.client.post('/test_admin/admin/', self.super_email_login) 
     98        print login 
     99        self.assertContains(login, "Your e-mail address is not your username") 
     100        # only correct passwords get a username hint 
     101        login = self.client.post('/test_admin/admin/', self.super_email_bad_login) 
     102        self.assertContains(login, "Usernames cannot contain the '@' character") 
     103        new_user = User(username='jondoe', password='secret', email='super@example.com') 
     104        new_user.save() 
     105        # check to ensure if there are multiple e-mail addresses a user doesn't get a 500 
     106        login = self.client.post('/test_admin/admin/', self.super_email_login) 
     107        self.assertContains(login, "Usernames cannot contain the '@' character")         
     108         
    86109        # Add User 
    87110        request = self.client.get('/test_admin/admin/') 
    88111        self.failUnlessEqual(request.status_code, 200)