#23847 closed Cleanup/optimization (fixed)
Minor Problem with Auth Documentation
| Reported by: | xmnr | Owned by: | Berker Peksag |
|---|---|---|---|
| Component: | Documentation | Version: | 1.7 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hello,
In the Django documentation about the authentication system, there are several snippets of code which may mislead the uninitiated.
https://docs.djangoproject.com/en/1.7/topics/auth/default/#auth-web-requests
For instance:
def email_check(user):
return '@…' in user.email
This is later used by user_passes_test() to authorize a user.
This is a very clear example, but if put into production it would be a security liability because it doesn't prevent a user from registering with the email "hacker@…", or with the upcoming "hacker@…". I think most developers are wiser than that, but a novice may not be.
I think this should be emended with the use of user.email.endswith("@example.com")
Change History (4)
comment:1 by , 9 years ago
| Needs documentation: | set |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
comment:2 by , 9 years ago
| Has patch: | set |
|---|---|
| Needs documentation: | unset |
| Owner: | changed from to |
| Status: | new → assigned |
comment:3 by , 9 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Makes sense to me. Our documentation should always give the best possible example. Could you make a pull request with all the example changes you think we should make?