#1991 closed enhancement (fixed)
User accounts with is_active
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | contrib.admin | Version: | dev |
| Severity: | blocker | Keywords: | auth |
| Cc: | gokerno | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
My thought on how to fix this is to change this line in django.contrib.auth.forms.isValidUser from this:
self.user_cache = User.objects.get(username=field_data)
to this:
self.user_cache = User.objects.filter(is_active=True).get(username=field_data)
Or add a second Manager to django.contrib.auth.models :
class ActiveUser(models.Manager):
def get_query_set(self):
return super(ActiveUser, self).get_query_set().filter(is_active=True)
and add these two lines to django.contrib.auth.models.Article :
objects = models.Manager()
published = ActiveUser()
and instead of the line above for isValidUser, put this:
self.user_cache = ActiveUser.objects.get(username=field_data)
Don't forget to do: from django.contrib.auth.users.models import ActiveUser
Change History (7)
comment:1 by , 18 years ago
comment:2 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:3 by , 18 years ago
| Type: | defect |
|---|
comment:4 by , 18 years ago
| Summary: | User accounts with is_active=False are allowed to login → User accounts with is_active |
|---|---|
| Type: | → defect |
test
comment:5 by , 18 years ago
| Cc: | added |
|---|---|
| Component: | Core framework → Admin interface |
| milestone: | → Version 1.0 |
| priority: | normal → highest |
| Resolution: | fixed |
| Severity: | normal → blocker |
| Status: | closed → reopened |
| Type: | defect → enhancement |
test script, sorry
comment:6 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Please refrain from 'testing' on this ticket database - it is a live entity that we use for real work.
Note:
See TracTickets
for help on using tickets.
Both of those solutions would reveal the existsence of the username to a potential attacker, whether they knew the username password or not. Here is an alternative solution, which will only notify the person logging that the username is inactive when they correctly guess the username password:
def isValidPasswordForUser(self, field_data, all_data): if self.user_cache is not None and not self.user_cache.check_password(field_data): self.user_cache = None raise validators.ValidationError, _("Please enter a correct username and password. Note that both fields are case-sensitive.") elif self.user_cache is not None and not self.user_cache.is_active: self.user_cache = None raise validators.ValidationError, _("This account is incative.")