Django

Code

Ticket #1991 (closed: fixed)

Opened 2 years ago

Last modified 1 year ago

User accounts with is_active

Reported by: dave@rightround.com Assigned to: adrian
Milestone: Component: Admin interface
Version: SVN Keywords: auth
Cc: gokerno Triage Stage: Unreviewed
Has patch: 0 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

My thought on how to fix this is to change this line in django.contrib.auth.forms.isValidUser from this: 

            self.user_cache = User.objects.get(username=field_data)

to this: 

            self.user_cache = User.objects.filter(is_active=True).get(username=field_data)

Or add a second Manager to django.contrib.auth.models : 

class ActiveUser(models.Manager):
    def get_query_set(self):
        return super(ActiveUser, self).get_query_set().filter(is_active=True)

and add these two lines to django.contrib.auth.models.Article : 

    objects = models.Manager()
    published = ActiveUser()

and instead of the line above for isValidUser, put this: 

            self.user_cache = ActiveUser.objects.get(username=field_data)

Don't forget to do: from django.contrib.auth.users.models import ActiveUser

Attachments

Change History

05/29/06 21:15:18 changed by germish@gmail.com

Both of those solutions would reveal the existsence of the username to a potential attacker, whether they knew the username password or not. Here is an alternative solution, which will only notify the person logging that the username is inactive when they correctly guess the username password: 

def isValidPasswordForUser(self, field_data, all_data):
    if self.user_cache is not None and not self.user_cache.check_password(field_data):
        self.user_cache = None
        raise validators.ValidationError, _("Please enter a correct username and password. Note that both fields are case-sensitive.")
    elif self.user_cache is not None and not self.user_cache.is_active:
        self.user_cache = None
        raise validators.ValidationError, _("This account is incative.")

06/01/06 23:42:11 changed by adrian

  • status changed from new to closed.
  • resolution set to fixed.

(In [3058]) Fixed #1991 -- Changed AuthenticationForm? to disallow users with is_active=False from logging in. Thanks, dave@rightround.com and germish@gmail.com

08/02/06 00:14:09 changed by phentermine online

  • type deleted.

08/14/06 11:04:30 changed by test

  • type set to defect.
  • summary changed from User accounts with is_active=False are allowed to login to User accounts with is_active.

test

12/20/06 03:15:30 changed by anonymous

  • status changed from closed to reopened.
  • severity changed from normal to blocker.
  • cc set to gokerno.
  • type changed from defect to enhancement.
  • component changed from Core framework to Admin interface.
  • priority changed from normal to highest.
  • milestone set to Version 1.0.
  • resolution deleted.

test script, sorry

12/20/06 04:56:39 changed by russellm

  • status changed from reopened to closed.
  • resolution set to fixed.

Please refrain from 'testing' on this ticket database - it is a live entity that we use for real work.

01/17/07 16:12:17 changed by

  • milestone deleted.

Milestone Version 1.0 deleted

Add/Change #1991 (User accounts with is_active)




Change Properties
Action