Opened 9 years ago

Closed 8 years ago

#6943 closed (fixed)

Multiple emails in admin can cause error

Reported by: Michael Newman Owned by: Michael Newman
Component: contrib.admin Version: newforms-admin
Severity: Keywords: admin, login, nfa
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

If you have multiple users who have the same e-mail address and one of them try to log into the admin site with their email address Django throws an exception. This is a extreme fringe case, but I have been biten by it due to editors who don't know what they are doing.

I applied a patch that doesn't return a username from the e-mail address. I can't find tests to add a line that would test for this. This patch is applied to Newforms Admin, but the two lines could be applied to trunk without a problem.

Attachments (3)

6943-admin-multiple-emails.diff (732 bytes) - added by Michael Newman 9 years ago.
simple two line patch to catch the exception and return a generic message
6943-nfa-admin-multiple-emails.diff (2.4 KB) - added by Michael Newman 8 years ago.
New patch against New-Forms Admin r7612, with tests!
6943-nfa-admin-multiple-emails.2.diff (3.3 KB) - added by Michael Newman 8 years ago.
New patch addressing the idea of e-mail address guessing.

Download all attachments as: .zip

Change History (9)

Changed 9 years ago by Michael Newman

simple two line patch to catch the exception and return a generic message

comment:1 Changed 8 years ago by Michael Newman

Keywords: nfa added
Needs tests: set
Owner: changed from nobody to Michael Newman
Status: newassigned

Changed 8 years ago by Michael Newman

New patch against New-Forms Admin r7612, with tests!

comment:2 Changed 8 years ago by Michael Newman

Version: SVNnewforms-admin

comment:3 Changed 8 years ago by Marc Fargas

Triage Stage: UnreviewedAccepted

comment:4 Changed 8 years ago by Michael Newman

Triage Stage: AcceptedReady for checkin

comment:5 in reply to:  4 Changed 8 years ago by Marc Fargas

Needs tests: unset

Changed 8 years ago by Michael Newman

New patch addressing the idea of e-mail address guessing.

comment:6 Changed 8 years ago by Brian Rosner

Resolution: fixed
Status: assignedclosed

(In [7694]) newforms-admin: Fixed #6943 and #7263 -- Handle multiple e-mail addresses when checking if it was mistakenly entered. Also prevent e-mail guessing by checking password before throwing an error. Thanks Michael Newman and Valera Grishin.

Note: See TracTickets for help on using tickets.
Back to Top