Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

newforms-admin: Fixed #6943 and #7263 -- Handle multiple e-mail addre…

…sses when checking if it was mistakenly entered. Also prevent e-mail guessing by checking password before throwing an error. Thanks Michael Newman and Valera Grishin.

git-svn-id: http://code.djangoproject.com/svn/django/branches/newforms-admin@7694 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 308cef40680050f2617400bb729a9e9a1fc0835a 1 parent 86a946a
Brian Rosner authored June 18, 2008
8  django/contrib/admin/sites.py
@@ -226,10 +226,14 @@ def login(self, request):
226 226
                 # Mistakenly entered e-mail address instead of username? Look it up.
227 227
                 try:
228 228
                     user = User.objects.get(email=username)
229  
-                except User.DoesNotExist:
  229
+                except (User.DoesNotExist, User.MultipleObjectsReturned):
230 230
                     message = _("Usernames cannot contain the '@' character.")
231 231
                 else:
232  
-                    message = _("Your e-mail address is not your username. Try '%s' instead.") % user.username
  232
+                    if user.check_password(password):
  233
+                        message = _("Your e-mail address is not your username."
  234
+                                    " Try '%s' instead." % user.username) 
  235
+                    else:
  236
+                        message = _("Usernames cannot contain the '@' character.")
233 237
             return self.display_login_form(request, message)
234 238
 
235 239
         # The user data is correct; log in the user in and continue.
23  tests/regressiontests/admin_views/tests.py
@@ -49,6 +49,14 @@ def setUp(self):
49 49
                      LOGIN_FORM_KEY: 1,
50 50
                      'username': 'super',
51 51
                      'password': 'secret'}
  52
+        self.super_email_login = {'post_data': _encode_post_data({}),
  53
+                     LOGIN_FORM_KEY: 1,
  54
+                     'username': 'super@example.com',
  55
+                     'password': 'secret'}
  56
+        self.super_email_bad_login = {'post_data': _encode_post_data({}),
  57
+                      LOGIN_FORM_KEY: 1,
  58
+                      'username': 'super@example.com',
  59
+                      'password': 'notsecret'}
52 60
         self.adduser_login = {'post_data': _encode_post_data({}),
53 61
                      LOGIN_FORM_KEY: 1,
54 62
                      'username': 'adduser',
@@ -83,6 +91,21 @@ def testLogin(self):
83 91
         self.assertFalse(login.context)
84 92
         self.client.get('/test_admin/admin/logout/')
85 93
         
  94
+        # Test if user enters e-mail address
  95
+        request = self.client.get('/test_admin/admin/')
  96
+        self.failUnlessEqual(request.status_code, 200)
  97
+        login = self.client.post('/test_admin/admin/', self.super_email_login)
  98
+        print login
  99
+        self.assertContains(login, "Your e-mail address is not your username")
  100
+        # only correct passwords get a username hint
  101
+        login = self.client.post('/test_admin/admin/', self.super_email_bad_login)
  102
+        self.assertContains(login, "Usernames cannot contain the '@' character")
  103
+        new_user = User(username='jondoe', password='secret', email='super@example.com')
  104
+        new_user.save()
  105
+        # check to ensure if there are multiple e-mail addresses a user doesn't get a 500
  106
+        login = self.client.post('/test_admin/admin/', self.super_email_login)
  107
+        self.assertContains(login, "Usernames cannot contain the '@' character")        
  108
+        
86 109
         # Add User
87 110
         request = self.client.get('/test_admin/admin/')
88 111
         self.failUnlessEqual(request.status_code, 200)

0 notes on commit 308cef4

Please sign in to comment.
Something went wrong with that request. Please try again.