Opened 18 years ago

Closed 18 years ago

Last modified 18 years ago

#1991 closed enhancement (fixed)

User accounts with is_active

Reported by: dave@… Owned by: Adrian Holovaty
Component: contrib.admin Version: dev
Severity: blocker Keywords: auth
Cc: gokerno Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

My thought on how to fix this is to change this line in django.contrib.auth.forms.isValidUser from this:

            self.user_cache = User.objects.get(username=field_data)

to this:

            self.user_cache = User.objects.filter(is_active=True).get(username=field_data)

Or add a second Manager to django.contrib.auth.models :

class ActiveUser(models.Manager):
    def get_query_set(self):
        return super(ActiveUser, self).get_query_set().filter(is_active=True)

and add these two lines to django.contrib.auth.models.Article :

    objects = models.Manager()
    published = ActiveUser()

and instead of the line above for isValidUser, put this:

            self.user_cache = ActiveUser.objects.get(username=field_data)

Don't forget to do: from django.contrib.auth.users.models import ActiveUser

Change History (7)

comment:1 by germish@…, 18 years ago

Both of those solutions would reveal the existsence of the username to a potential attacker, whether they knew the username password or not. Here is an alternative solution, which will only notify the person logging that the username is inactive when they correctly guess the username password:

def isValidPasswordForUser(self, field_data, all_data):
    if self.user_cache is not None and not self.user_cache.check_password(field_data):
        self.user_cache = None
        raise validators.ValidationError, _("Please enter a correct username and password. Note that both fields are case-sensitive.")
    elif self.user_cache is not None and not self.user_cache.is_active:
        self.user_cache = None
        raise validators.ValidationError, _("This account is incative.")

comment:2 by Adrian Holovaty, 18 years ago

Resolution: fixed
Status: newclosed

(In [3058]) Fixed #1991 -- Changed AuthenticationForm to disallow users with is_active=False from logging in. Thanks, dave@… and germish@…

comment:3 by phentermine online, 18 years ago

Type: defect

comment:4 by Smith, 18 years ago

Summary: User accounts with is_active=False are allowed to loginUser accounts with is_active
Type: defect

test

comment:5 by anonymous, 18 years ago

Cc: gokerno added
Component: Core frameworkAdmin interface
milestone: Version 1.0
priority: normalhighest
Resolution: fixed
Severity: normalblocker
Status: closedreopened
Type: defectenhancement

test script, sorry

comment:6 by Russell Keith-Magee, 18 years ago

Resolution: fixed
Status: reopenedclosed

Please refrain from 'testing' on this ticket database - it is a live entity that we use for real work.

comment:7 by (none), 18 years ago

milestone: Version 1.0

Milestone Version 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top