Django

Code

Changeset 7694

Show
Ignore:
Timestamp:
06/18/08 14:05:16 (5 months ago)
Author:
brosner
Message:

newforms-admin: Fixed #6943 and #7263 -- Handle multiple e-mail addresses when checking if it was mistakenly entered. Also prevent e-mail guessing by checking password before throwing an error. Thanks Michael Newman and Valera Grishin.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • django/branches/newforms-admin/django/contrib/admin/sites.py

    r7638 r7694  
    227227                try: 
    228228                    user = User.objects.get(email=username) 
    229                 except User.DoesNotExist
     229                except (User.DoesNotExist, User.MultipleObjectsReturned)
    230230                    message = _("Usernames cannot contain the '@' character.") 
    231231                else: 
    232                     message = _("Your e-mail address is not your username. Try '%s' instead.") % user.username 
     232                    if user.check_password(password): 
     233                        message = _("Your e-mail address is not your username." 
     234                                    " Try '%s' instead." % user.username)  
     235                    else: 
     236                        message = _("Usernames cannot contain the '@' character.") 
    233237            return self.display_login_form(request, message) 
    234238 

  • django/branches/newforms-admin/tests/regressiontests/admin_views/tests.py

    r7685 r7694  
    5050                     'username': 'super', 
    5151                     'password': 'secret'} 
     52        self.super_email_login = {'post_data': _encode_post_data({}), 
     53                     LOGIN_FORM_KEY: 1, 
     54                     'username': 'super@example.com', 
     55                     'password': 'secret'} 
     56        self.super_email_bad_login = {'post_data': _encode_post_data({}), 
     57                      LOGIN_FORM_KEY: 1, 
     58                      'username': 'super@example.com', 
     59                      'password': 'notsecret'} 
    5260        self.adduser_login = {'post_data': _encode_post_data({}), 
    5361                     LOGIN_FORM_KEY: 1, 
     
    8391        self.assertFalse(login.context) 
    8492        self.client.get('/test_admin/admin/logout/') 
     93         
     94        # Test if user enters e-mail address 
     95        request = self.client.get('/test_admin/admin/') 
     96        self.failUnlessEqual(request.status_code, 200) 
     97        login = self.client.post('/test_admin/admin/', self.super_email_login) 
     98        print login 
     99        self.assertContains(login, "Your e-mail address is not your username") 
     100        # only correct passwords get a username hint 
     101        login = self.client.post('/test_admin/admin/', self.super_email_bad_login) 
     102        self.assertContains(login, "Usernames cannot contain the '@' character") 
     103        new_user = User(username='jondoe', password='secret', email='super@example.com') 
     104        new_user.save() 
     105        # check to ensure if there are multiple e-mail addresses a user doesn't get a 500 
     106        login = self.client.post('/test_admin/admin/', self.super_email_login) 
     107        self.assertContains(login, "Usernames cannot contain the '@' character")         
    85108         
    86109        # Add User