#1991 closed enhancement (fixed)
User accounts with is_active
Reported by: | Owned by: | Adrian Holovaty | |
---|---|---|---|
Component: | contrib.admin | Version: | dev |
Severity: | blocker | Keywords: | auth |
Cc: | gokerno | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
My thought on how to fix this is to change this line in django.contrib.auth.forms.isValidUser
from this:
self.user_cache = User.objects.get(username=field_data)
to this:
self.user_cache = User.objects.filter(is_active=True).get(username=field_data)
Or add a second Manager
to django.contrib.auth.models
:
class ActiveUser(models.Manager): def get_query_set(self): return super(ActiveUser, self).get_query_set().filter(is_active=True)
and add these two lines to django.contrib.auth.models.Article
:
objects = models.Manager() published = ActiveUser()
and instead of the line above for isValidUser
, put this:
self.user_cache = ActiveUser.objects.get(username=field_data)
Don't forget to do: from django.contrib.auth.users.models import ActiveUser
Change History (7)
comment:1 by , 18 years ago
comment:2 by , 18 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:3 by , 18 years ago
Type: | defect |
---|
comment:4 by , 18 years ago
Summary: | User accounts with is_active=False are allowed to login → User accounts with is_active |
---|---|
Type: | → defect |
test
comment:5 by , 18 years ago
Cc: | added |
---|---|
Component: | Core framework → Admin interface |
milestone: | → Version 1.0 |
priority: | normal → highest |
Resolution: | fixed |
Severity: | normal → blocker |
Status: | closed → reopened |
Type: | defect → enhancement |
test script, sorry
comment:6 by , 18 years ago
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
Please refrain from 'testing' on this ticket database - it is a live entity that we use for real work.
Note:
See TracTickets
for help on using tickets.
Both of those solutions would reveal the existsence of the username to a potential attacker, whether they knew the username password or not. Here is an alternative solution, which will only notify the person logging that the username is inactive when they correctly guess the username password: