updated error message when logging in into the admin fails because is_staff is False
|Reported by:||Wim Feijen <wim@…>||Owned by:||wimfeijen|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
When a user tries to login on the admin, with correct username &
password, but is_staff is set to False, the error message is
"Please enter a correct username and password. Note that both fields
After discussion on django-developers:
a solution was proposed to have a general message in all cases, so potential attackers cannot distinguish between the case where username&password are right and is_staff = False versus the case where username&password don't fit.
The message is:
"Username and password incorrect or access to this page is restricted".
as proposed by Adam Jenkins, with an added "is".
Although the global variable ERROR_MESSAGE does not seem to be used anywhere else in django, I'll keep it as it is for now.
Gentlemen and ladies, now we need translations.
Change History (19)
comment:1 Changed 3 years ago by Wim Feijen <wim@…>
- Has patch set
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:4 Changed 3 years ago by julien
- Needs tests set
- Triage Stage changed from Unreviewed to Accepted
comment:10 Changed 3 years ago by Wim Feijen <wim@…>
- Summary changed from when logging in into the admin to updated error message when logging in into the admin fails because is_staff is False
comment:14 Changed 3 years ago by jezdez
- Resolution fixed deleted
- Status changed from closed to reopened