Opened 2 years ago

Closed 2 years ago

#19899 closed New feature (wontfix)

Add attr request in user_login_failed signal

Reported by: anonymous Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Add attr request in user_login_failed signal.
This will allow to see the IP of the person who brute force passwords.

Change History (6)

comment:1 Changed 2 years ago by claudep

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

I can understand the use case, however it will be difficult to implement in practice, because the authenticate method which fires the signal doesn't have access to the request.

I think that if you want to implement such mechanism, you should provide your own AuthenticationForm subclass (and customize the clean method), so this is something each developper can do without modifying Django itself.

comment:2 Changed 2 years ago by anonymous

How, if form is not receive request?

contrib.auth.view:

@sensitive_post_parameters()
@csrf_protect
@never_cache
def login(request, template_name='registration/login.html',

redirect_field_name=REDIRECT_FIELD_NAME,
authentication_form=AuthenticationForm,
current_app=None, extra_context=None):

"""
Displays the login form and handles the login action.
"""
redirect_to = request.REQUEST.get(redirect_field_name, )

if request.method == "POST":

form = authentication_form(data=request.POST) # THIS NEED APPEND request
if form.is_valid():

...

comment:3 Changed 2 years ago by anonymous

How, if form is not receive request?

contrib.auth.view:

@sensitive_post_parameters()
@csrf_protect
@never_cache
def login(request, template_name='registration/login.html',

redirect_field_name=REDIRECT_FIELD_NAME,
authentication_form=AuthenticationForm,
current_app=None, extra_context=None):

"""
Displays the login form and handles the login action.
"""
redirect_to = request.REQUEST.get(redirect_field_name, )

if request.method == "POST":

form = authentication_form(data=request.POST) # THIS NEED APPEND request
if form.is_valid():

...

comment:4 Changed 2 years ago by anonymous

  • Resolution wontfix deleted
  • Status changed from closed to new

comment:5 Changed 2 years ago by alej0

This doesn't solve the issue of request not being passed to the user_login_failed signal but solves request being passed to authentication_form and backs claudep argument.

https://code.djangoproject.com/ticket/15198

comment:6 Changed 2 years ago by claudep

  • Resolution set to wontfix
  • Status changed from new to closed

Yes, #15198 is the ticket to fix so as the request is available.

Note: See TracTickets for help on using tickets.
Back to Top