id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23847	Minor Problem with Auth Documentation	xmnr	Berker Peksag	"Hello,

In the Django documentation about the authentication system, there are several snippets of code which may mislead the uninitiated.

https://docs.djangoproject.com/en/1.7/topics/auth/default/#auth-web-requests

For instance:

def email_check(user):
    return '@example.com' in user.email

This is later used by user_passes_test() to authorize a user.

This is a very clear example, but if put into production it would be a security liability because it doesn't prevent a user from registering with the email ""hacker@example.com.evil.net"", or with the upcoming ""hacker@example.computer"". I think most developers are wiser than that, but a novice may not be.

I think this should be emended with the use of user.email.endswith(""@example.com"")"	Cleanup/optimization	closed	Documentation	1.7	Normal	fixed			Accepted	1	0	0	0	0	0