Opened 11 years ago

Closed 10 years ago

Last modified 10 years ago

#1991 closed enhancement (fixed)

User accounts with is_active

Reported by: dave@… Owned by: Adrian Holovaty
Component: contrib.admin Version: master
Severity: blocker Keywords: auth
Cc: gokerno Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

My thought on how to fix this is to change this line in django.contrib.auth.forms.isValidUser from this:

            self.user_cache = User.objects.get(username=field_data)

to this:

            self.user_cache = User.objects.filter(is_active=True).get(username=field_data)

Or add a second Manager to django.contrib.auth.models :

class ActiveUser(models.Manager):
    def get_query_set(self):
        return super(ActiveUser, self).get_query_set().filter(is_active=True)

and add these two lines to django.contrib.auth.models.Article :

    objects = models.Manager()
    published = ActiveUser()

and instead of the line above for isValidUser, put this:

            self.user_cache = ActiveUser.objects.get(username=field_data)

Don't forget to do: from django.contrib.auth.users.models import ActiveUser

Change History (7)

comment:1 Changed 11 years ago by germish@…

Both of those solutions would reveal the existsence of the username to a potential attacker, whether they knew the username password or not. Here is an alternative solution, which will only notify the person logging that the username is inactive when they correctly guess the username password:

def isValidPasswordForUser(self, field_data, all_data):
    if self.user_cache is not None and not self.user_cache.check_password(field_data):
        self.user_cache = None
        raise validators.ValidationError, _("Please enter a correct username and password. Note that both fields are case-sensitive.")
    elif self.user_cache is not None and not self.user_cache.is_active:
        self.user_cache = None
        raise validators.ValidationError, _("This account is incative.")

comment:2 Changed 11 years ago by Adrian Holovaty

Resolution: fixed
Status: newclosed

(In [3058]) Fixed #1991 -- Changed AuthenticationForm to disallow users with is_active=False from logging in. Thanks, dave@… and germish@…

comment:3 Changed 10 years ago by phentermine online

Type: defect

comment:4 Changed 10 years ago by Smith

Summary: User accounts with is_active=False are allowed to loginUser accounts with is_active
Type: defect

test

comment:5 Changed 10 years ago by anonymous

Cc: gokerno added
Component: Core frameworkAdmin interface
milestone: Version 1.0
priority: normalhighest
Resolution: fixed
Severity: normalblocker
Status: closedreopened
Type: defectenhancement

test script, sorry

comment:6 Changed 10 years ago by Russell Keith-Magee

Resolution: fixed
Status: reopenedclosed

Please refrain from 'testing' on this ticket database - it is a live entity that we use for real work.

comment:7 Changed 10 years ago by (none)

milestone: Version 1.0

Milestone Version 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top