Opened 9 years ago

Closed 8 years ago

Last modified 8 years ago

#1991 closed enhancement (fixed)

User accounts with is_active

Reported by: dave@… Owned by: adrian
Component: contrib.admin Version: master
Severity: blocker Keywords: auth
Cc: gokerno Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

My thought on how to fix this is to change this line in django.contrib.auth.forms.isValidUser from this:

            self.user_cache = User.objects.get(username=field_data)

to this:

            self.user_cache = User.objects.filter(is_active=True).get(username=field_data)

Or add a second Manager to django.contrib.auth.models :

class ActiveUser(models.Manager):
    def get_query_set(self):
        return super(ActiveUser, self).get_query_set().filter(is_active=True)

and add these two lines to django.contrib.auth.models.Article :

    objects = models.Manager()
    published = ActiveUser()

and instead of the line above for isValidUser, put this:

            self.user_cache = ActiveUser.objects.get(username=field_data)

Don't forget to do: from django.contrib.auth.users.models import ActiveUser

Change History (7)

comment:1 Changed 9 years ago by germish@…

Both of those solutions would reveal the existsence of the username to a potential attacker, whether they knew the username password or not. Here is an alternative solution, which will only notify the person logging that the username is inactive when they correctly guess the username password:

def isValidPasswordForUser(self, field_data, all_data):
    if self.user_cache is not None and not self.user_cache.check_password(field_data):
        self.user_cache = None
        raise validators.ValidationError, _("Please enter a correct username and password. Note that both fields are case-sensitive.")
    elif self.user_cache is not None and not self.user_cache.is_active:
        self.user_cache = None
        raise validators.ValidationError, _("This account is incative.")

comment:2 Changed 9 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [3058]) Fixed #1991 -- Changed AuthenticationForm to disallow users with is_active=False from logging in. Thanks, dave@… and germish@…

comment:3 Changed 9 years ago by phentermine online

  • Type defect deleted

comment:4 Changed 9 years ago by test

  • Summary changed from User accounts with is_active=False are allowed to login to User accounts with is_active
  • Type set to defect

test

comment:5 Changed 8 years ago by anonymous

  • Cc gokerno added
  • Component changed from Core framework to Admin interface
  • milestone set to Version 1.0
  • priority changed from normal to highest
  • Resolution fixed deleted
  • Severity changed from normal to blocker
  • Status changed from closed to reopened
  • Type changed from defect to enhancement

test script, sorry

comment:6 Changed 8 years ago by russellm

  • Resolution set to fixed
  • Status changed from reopened to closed

Please refrain from 'testing' on this ticket database - it is a live entity that we use for real work.

comment:7 Changed 8 years ago by anonymous

  • milestone Version 1.0 deleted

Milestone Version 1.0 deleted

Note: See TracTickets for help on using tickets.
Back to Top