Ticket #6943: 6943-nfa-admin-multiple-emails.2.diff

File 6943-nfa-admin-multiple-emails.2.diff, 3.3 KB (added by Michael Newman, 16 years ago)

New patch addressing the idea of e-mail address guessing.

  • django/contrib/admin/sites.py

     
    226226                # Mistakenly entered e-mail address instead of username? Look it up.
    227227                try:
    228228                    user = User.objects.get(email=username)
    229                 except User.DoesNotExist:
     229                except (User.DoesNotExist, User.MultipleObjectsReturned):
    230230                    message = _("Usernames cannot contain the '@' character.")
    231231                else:
    232                     message = _("Your e-mail address is not your username. Try '%s' instead.") % user.username
     232                    if user.check_password(password):
     233                        message = _("Your e-mail address is not your username."
     234                                    " Try '%s' instead." % user.username)
     235                    else:
     236                        message = _("Usernames cannot contain the '@' character.")
    233237            return self.display_login_form(request, message)
    234238
    235239        # The user data is correct; log in the user in and continue.

  • tests/regressiontests/admin_views/tests.py

     
    4949                     LOGIN_FORM_KEY: 1,
    5050                     'username': 'super',
    5151                     'password': 'secret'}
     52        self.super_email_login = {'post_data': _encode_post_data({}),
     53                     LOGIN_FORM_KEY: 1,
     54                     'username': 'super@example.com',
     55                     'password': 'secret'}
     56        self.super_email_bad_login = {'post_data': _encode_post_data({}),
     57                      LOGIN_FORM_KEY: 1,
     58                      'username': 'super@example.com',
     59                      'password': 'notsecret'}
    5260        self.adduser_login = {'post_data': _encode_post_data({}),
    5361                     LOGIN_FORM_KEY: 1,
    5462                     'username': 'adduser',
     
    8391        self.assertFalse(login.context)
    8492        self.client.get('/test_admin/admin/logout/')
    8593       
     94        # Test if user enters e-mail address
     95        request = self.client.get('/test_admin/admin/')
     96        self.failUnlessEqual(request.status_code, 200)
     97        login = self.client.post('/test_admin/admin/', self.super_email_login)
     98        print login
     99        self.assertContains(login, "Your e-mail address is not your username")
     100        # only correct passwords get a username hint
     101        login = self.client.post('/test_admin/admin/', self.super_email_bad_login)
     102        self.assertContains(login, "Usernames cannot contain the '@' character")
     103        new_user = User(username='jondoe', password='secret', email='super@example.com')
     104        new_user.save()
     105        # check to ensure if there are multiple e-mail addresses a user doesn't get a 500
     106        login = self.client.post('/test_admin/admin/', self.super_email_login)
     107        self.assertContains(login, "Usernames cannot contain the '@' character")       
     108       
    86109        # Add User
    87110        request = self.client.get('/test_admin/admin/')
    88111        self.failUnlessEqual(request.status_code, 200)
Back to Top