Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

newforms-admin: Fixed #6943 and #7263 -- Handle multiple e-mail addre…

…sses when checking if it was mistakenly entered. Also prevent e-mail guessing by checking password before throwing an error. Thanks Michael Newman and Valera Grishin.

git-svn-id: http://code.djangoproject.com/svn/django/branches/newforms-admin@7694 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 308cef40680050f2617400bb729a9e9a1fc0835a 1 parent 86a946a
@brosner brosner authored
View
8 django/contrib/admin/sites.py
@@ -226,10 +226,14 @@ def login(self, request):
# Mistakenly entered e-mail address instead of username? Look it up.
try:
user = User.objects.get(email=username)
- except User.DoesNotExist:
+ except (User.DoesNotExist, User.MultipleObjectsReturned):
message = _("Usernames cannot contain the '@' character.")
else:
- message = _("Your e-mail address is not your username. Try '%s' instead.") % user.username
+ if user.check_password(password):
+ message = _("Your e-mail address is not your username."
+ " Try '%s' instead." % user.username)
+ else:
+ message = _("Usernames cannot contain the '@' character.")
return self.display_login_form(request, message)
# The user data is correct; log in the user in and continue.
View
23 tests/regressiontests/admin_views/tests.py
@@ -49,6 +49,14 @@ def setUp(self):
LOGIN_FORM_KEY: 1,
'username': 'super',
'password': 'secret'}
+ self.super_email_login = {'post_data': _encode_post_data({}),
+ LOGIN_FORM_KEY: 1,
+ 'username': 'super@example.com',
+ 'password': 'secret'}
+ self.super_email_bad_login = {'post_data': _encode_post_data({}),
+ LOGIN_FORM_KEY: 1,
+ 'username': 'super@example.com',
+ 'password': 'notsecret'}
self.adduser_login = {'post_data': _encode_post_data({}),
LOGIN_FORM_KEY: 1,
'username': 'adduser',
@@ -83,6 +91,21 @@ def testLogin(self):
self.assertFalse(login.context)
self.client.get('/test_admin/admin/logout/')
+ # Test if user enters e-mail address
+ request = self.client.get('/test_admin/admin/')
+ self.failUnlessEqual(request.status_code, 200)
+ login = self.client.post('/test_admin/admin/', self.super_email_login)
+ print login
+ self.assertContains(login, "Your e-mail address is not your username")
+ # only correct passwords get a username hint
+ login = self.client.post('/test_admin/admin/', self.super_email_bad_login)
+ self.assertContains(login, "Usernames cannot contain the '@' character")
+ new_user = User(username='jondoe', password='secret', email='super@example.com')
+ new_user.save()
+ # check to ensure if there are multiple e-mail addresses a user doesn't get a 500
+ login = self.client.post('/test_admin/admin/', self.super_email_login)
+ self.assertContains(login, "Usernames cannot contain the '@' character")
+
# Add User
request = self.client.get('/test_admin/admin/')
self.failUnlessEqual(request.status_code, 200)

0 comments on commit 308cef4

Please sign in to comment.
Something went wrong with that request. Please try again.