Don't check that user has entered e-mail instead of username
|Reported by:||Valera Grishin||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Current django/trunk/contrib/admin/views/decorators.py has function staff_member_required which checks whether user supplied an e-mail address instead of username in the login form.
If so and e-mail is found in the user database it will suggest (via error message) the user to use username instead. The error message will also show the username found by given e-mail.
Here is the code in the staff_member_required function:
if user is None: message = ERROR_MESSAGE if '@' in username: # Mistakenly entered e-mail address instead of username? Look it up. users = list(User.objects.filter(email=username)) if len(users) == 1: message = _("Your e-mail address is not your username. Try '%s' instead.") % users.username else: # Either we cannot find the user, or if more than 1 # we cannot guess which user is the correct one. message = _("Usernames cannot contain the '@' character.") return _display_login_form(request, message)
This feature actually works as lookup and partially uncovers sensitive information. It can be used to:
- check whether certain e-mail exists (at all)
- check whether certain e-mail is registered (on certain site)
- find username by e-mail
In order to solve this issue the logic can be simplified as follows:
if user is None: message = ERROR_MESSAGE if '@' in username: message = _("Usernames cannot contain the '@' character.") return _display_login_form(request, message)
Corresponding patch is attached.