Code

#19899 closed New feature (wontfix)

Add attr request in user_login_failed signal

Reported by: anonymous Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Add attr request in user_login_failed signal.
This will allow to see the IP of the person who brute force passwords.

Attachments (0)

Change History (6)

comment:1 Changed 17 months ago by claudep

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

I can understand the use case, however it will be difficult to implement in practice, because the authenticate method which fires the signal doesn't have access to the request.

I think that if you want to implement such mechanism, you should provide your own AuthenticationForm subclass (and customize the clean method), so this is something each developper can do without modifying Django itself.

comment:2 Changed 17 months ago by anonymous

How, if form is not receive request?

contrib.auth.view:

@sensitive_post_parameters()
@csrf_protect
@never_cache
def login(request, template_name='registration/login.html',

redirect_field_name=REDIRECT_FIELD_NAME,
authentication_form=AuthenticationForm,
current_app=None, extra_context=None):

"""
Displays the login form and handles the login action.
"""
redirect_to = request.REQUEST.get(redirect_field_name, )

if request.method == "POST":

form = authentication_form(data=request.POST) # THIS NEED APPEND request
if form.is_valid():

...

comment:3 Changed 17 months ago by anonymous

How, if form is not receive request?

contrib.auth.view:

@sensitive_post_parameters()
@csrf_protect
@never_cache
def login(request, template_name='registration/login.html',

redirect_field_name=REDIRECT_FIELD_NAME,
authentication_form=AuthenticationForm,
current_app=None, extra_context=None):

"""
Displays the login form and handles the login action.
"""
redirect_to = request.REQUEST.get(redirect_field_name, )

if request.method == "POST":

form = authentication_form(data=request.POST) # THIS NEED APPEND request
if form.is_valid():

...

comment:4 Changed 17 months ago by anonymous

  • Resolution wontfix deleted
  • Status changed from closed to new

comment:5 Changed 17 months ago by alej0

This doesn't solve the issue of request not being passed to the user_login_failed signal but solves request being passed to authentication_form and backs claudep argument.

https://code.djangoproject.com/ticket/15198

comment:6 Changed 17 months ago by claudep

  • Resolution set to wontfix
  • Status changed from new to closed

Yes, #15198 is the ticket to fix so as the request is available.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.