updated error message when logging in into the admin fails because is_staff is False

[Wim Feijen <wim@…>]

When a user tries to login on the admin, with correct username &
password, but is_staff is set to False, the error message is
misleadingly wrong:
"Please enter a correct username and password. Note that both fields
are case-sensitive."

After discussion on django-developers:
​http://groups.google.com/group/django-developers/browse_thread/thread/c070dcd878a75a2b

a solution was proposed to have a general message in all cases, so potential attackers cannot distinguish between the case where username&password are right and is_staff = False versus the case where username&password don't fit.

The message is:

"Username and password incorrect or access to this page is restricted".

as proposed by Adam Jenkins, with an added "is".

Although the global variable ERROR_MESSAGE does not seem to be used anywhere else in django, I'll keep it as it is for now.

Gentlemen and ladies, now we need translations.

Wim

[Wim Feijen <wim@…>]

Tests fail - need update

[Julien Phalip]

I think this is in principle a good compromise. The suggested patch feels a bit dry though, and could be improved. We don't want to lose the "Note that both fields are case-sensitive." tip either. Please also add some tests.

[Jochem]

What about... "Please enter the correct username and password for a staff account."?

[Wim Feijen <wim@…>]

Better error message: updated tests as well.

[Wim Feijen <wim@…>]

Hi Julien, and Jocmeh. Thanks for your suggestions. I have updated the error message to:
"Please enter the correct username and password "
"for a staff account. Note that both fields are case-sensitive."

A patch (with working tests) is attached.

Thanks, Wim

[Julien Phalip]

Thank you Wim, the message looks good. However, the tests aren't proper. If ERROR_MESSAGE accidentally gets modified to, for example, "I love double rainbows", the tests will still pass :D
The message may have serious security implications so it's important to explicitly test it.

Also, one note on the process. When you provide a patch that *you* think is right, please feel free to remove the "Needs tests" and "Patch needs improvement" flags, so that the ticket can more easily be found by people looking for patches to review. In this case, I'm removing "Needs tests" because there are some, but leaving "Patch needs improvement" because it does ;)

[Wim Feijen <wim@…>]

Sets ERROR_MESSAGE in tests in stead of importing, in order to prevent double rainbows ;)

[Wim Feijen <wim@…>]

Julien, thanks for looking into the patch so quickly. Also thanks for the feedback for helping me improve. :)

[Julien Phalip]

Great, thanks for your patience ;)

[Paul McMillan]

In [16872]:

Fixed #16837 -- Improved error message for admin login.

[Paul McMillan]

In [16878]:

[1.3.X] Fixed #16837 -- Improved error messages for admin login. Thanks Wim Feijen for the patch.

[Jannis Leidel]

It's common policy to not backport changes to a release branch which change a translation string. This needs to be reverted in the 1.3.X branch.

[Paul McMillan]

In [16891]:

[1.3.X] Reverting r16878 (improved admin error message) per advice from jezdez. refs #16837

[Paul McMillan]

Closing after reverting the change in the 1.3.X branch.