Opened 7 years ago

Closed 7 years ago

#6943 closed (fixed)

Multiple emails in admin can cause error

Reported by: Mnewman Owned by: Mnewman
Component: contrib.admin Version: newforms-admin
Severity: Keywords: admin, login, nfa
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

If you have multiple users who have the same e-mail address and one of them try to log into the admin site with their email address Django throws an exception. This is a extreme fringe case, but I have been biten by it due to editors who don't know what they are doing.

I applied a patch that doesn't return a username from the e-mail address. I can't find tests to add a line that would test for this. This patch is applied to Newforms Admin, but the two lines could be applied to trunk without a problem.

Attachments (3)

6943-admin-multiple-emails.diff (732 bytes) - added by Mnewman 7 years ago.
simple two line patch to catch the exception and return a generic message
6943-nfa-admin-multiple-emails.diff (2.4 KB) - added by Mnewman 7 years ago.
New patch against New-Forms Admin r7612, with tests!
6943-nfa-admin-multiple-emails.2.diff (3.3 KB) - added by Mnewman 7 years ago.
New patch addressing the idea of e-mail address guessing.

Download all attachments as: .zip

Change History (9)

Changed 7 years ago by Mnewman

simple two line patch to catch the exception and return a generic message

comment:1 Changed 7 years ago by Mnewman

  • Keywords nfa added
  • Needs documentation unset
  • Needs tests set
  • Owner changed from nobody to Mnewman
  • Patch needs improvement unset
  • Status changed from new to assigned

Changed 7 years ago by Mnewman

New patch against New-Forms Admin r7612, with tests!

comment:2 Changed 7 years ago by Mnewman

  • Version changed from SVN to newforms-admin

comment:3 Changed 7 years ago by telenieko

  • Triage Stage changed from Unreviewed to Accepted

comment:4 follow-up: Changed 7 years ago by Mnewman

  • Triage Stage changed from Accepted to Ready for checkin

comment:5 in reply to: ↑ 4 Changed 7 years ago by telenieko

  • Needs tests unset

Changed 7 years ago by Mnewman

New patch addressing the idea of e-mail address guessing.

comment:6 Changed 7 years ago by brosner

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [7694]) newforms-admin: Fixed #6943 and #7263 -- Handle multiple e-mail addresses when checking if it was mistakenly entered. Also prevent e-mail guessing by checking password before throwing an error. Thanks Michael Newman and Valera Grishin.

Note: See TracTickets for help on using tickets.
Back to Top