[Django] #28645: The inactive user error never is raised in login form

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #28645: The inactive user error never is raised in login form

Django
#28645: The inactive user error never is raised in login form
-----------------------------------------------+------------------------
               Reporter:  Guilherme Junqueira  |          Owner:  nobody
                   Type:  Bug                  |         Status:  new
              Component:  contrib.auth         |        Version:  1.11
               Severity:  Normal               |       Keywords:
           Triage Stage:  Unreviewed           |      Has patch:  0
    Needs documentation:  0                    |    Needs tests:  0
Patch needs improvement:  0                    |  Easy pickings:  0
                  UI/UX:  0                    |
-----------------------------------------------+------------------------
 Looking in file django.contrib.auth.forms

 The class AuthenticationForm and clean method.

 The inactive user never is raised, this happens because after Django 1.10
 all users that is not active cannot authenticate, so self.user_chache is
 always be None for inactive users, even if has a correct user and pass.

 So the code needed to be changed to raise the correct error for a user
 that is not active.

 My stackoverflow thread about this:
 https://stackoverflow.com/questions/46459258/how-to-inform-a-user-that-he-
 is-not-active-in-django-login-view/46459998#46459998

--
Ticket URL: <https://code.djangoproject.com/ticket/28645>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/053.d42cbda65d5206d67da0b678123180de%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend (was: The inactive user error never is raised in login form)

Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+------------------------------------
Changes (by Tim Graham):

 * stage:  Unreviewed => Accepted


Comment:

 Regression in e0a3d937309a82b8beea8f41b17d8b6298da2a86 (#25232).

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.47053fa5d40ccdd1598d3ded7fee549c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:  hui shang
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by hui shang):

 * owner:  nobody => hui shang
 * status:  new => assigned


--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.a216d173e3a420eb70c88da03c332290%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:  hui shang
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by hui shang):

 * has_patch:  0 => 1


Comment:

 [https://github.com/django/django/pull/9308 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.25c6c5cfa785ff1f72e4d99e7f102782%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:  hui shang
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

 * needs_better_patch:  0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.7a05d74a711c5021a3c86bc18583a87e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:  hui shang
         Type:  Bug                  |                   Status:  assigned
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by hui shang):

 * needs_better_patch:  1 => 0


--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.0dc057d80805eb1520d9815f5ae9218c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:  hui shang
         Type:  Bug                  |                   Status:  closed
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham <timograham@…>):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"359370a8b8ca0efe99b1d4630b291ec060b69225" 359370a]:
 {{{
 #!CommitTicketReference repository=""
 revision="359370a8b8ca0efe99b1d4630b291ec060b69225"
 Fixed #28645 -- Reallowed AuthenticationForm to raise the inactive user
 error when using ModelBackend.

 Regression in e0a3d937309a82b8beea8f41b17d8b6298da2a86.

 Thanks Guilherme Junqueira for the report and Tim Graham for the review.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.0119e19c842c206d257cf5a2cf062143%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:  hui shang
         Type:  Bug                  |                   Status:  closed
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

 In [changeset:"36dd0126a5a9688530f099ab6cc4f8621d1494b3" 36dd0126]:
 {{{
 #!CommitTicketReference repository=""
 revision="36dd0126a5a9688530f099ab6cc4f8621d1494b3"
 [2.0.x] Fixed #28645 -- Reallowed AuthenticationForm to raise the inactive
 user error when using ModelBackend.

 Regression in e0a3d937309a82b8beea8f41b17d8b6298da2a86.

 Thanks Guilherme Junqueira for the report and Tim Graham for the review.

 Backport of 359370a8b8ca0efe99b1d4630b291ec060b69225 from master
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.cdaa8e535e188ce20cea1ac7b340f64c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:  hui shang
         Type:  Bug                  |                   Status:  closed
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

 In [changeset:"308f64462421b09b21ef0dcd9cc3654cc25bceba" 308f644]:
 {{{
 #!CommitTicketReference repository=""
 revision="308f64462421b09b21ef0dcd9cc3654cc25bceba"
 [1.11.x] Fixed #28645 -- Reallowed AuthenticationForm to raise the
 inactive user error when using ModelBackend.

 Regression in e0a3d937309a82b8beea8f41b17d8b6298da2a86.

 Thanks Guilherme Junqueira for the report and Tim Graham for the review.

 Backport of 359370a8b8ca0efe99b1d4630b291ec060b69225 from master
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.b95fc2eff7565f95df64aaab0edb5875%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:
                                     |  shangdahao
         Type:  Bug                  |                   Status:  closed
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

 In [changeset:"af33fb250e9847f1ca8c0ba0d72671d76659704f" af33fb25]:
 {{{
 #!CommitTicketReference repository=""
 revision="af33fb250e9847f1ca8c0ba0d72671d76659704f"
 Fixed CVE-2018-6188 -- Fixed information leakage in AuthenticationForm.

 Reverted 359370a8b8ca0efe99b1d4630b291ec060b69225 (refs #28645).

 This is a security fix.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.9bf54b69988daa43e41e13e034f78be4%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:
                                     |  shangdahao
         Type:  Bug                  |                   Status:  closed
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

 In [changeset:"c37bb28677295f6edda61d8ac461014ef0d3aeb2" c37bb286]:
 {{{
 #!CommitTicketReference repository=""
 revision="c37bb28677295f6edda61d8ac461014ef0d3aeb2"
 [2.0.x] Fixed CVE-2018-6188 -- Fixed information leakage in
 AuthenticationForm.

 Reverted 359370a8b8ca0efe99b1d4630b291ec060b69225 (refs #28645).

 This is a security fix.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:10>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.5d4b3a3b1fafece67ec4ada90b84d0fd%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:
                                     |  shangdahao
         Type:  Bug                  |                   Status:  closed
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham <timograham@…>):

 In [changeset:"57b95fedad5e0b83fc9c81466b7d1751c6427aae" 57b95fed]:
 {{{
 #!CommitTicketReference repository=""
 revision="57b95fedad5e0b83fc9c81466b7d1751c6427aae"
 [1.11.x] Fixed CVE-2018-6188 -- Fixed information leakage in
 AuthenticationForm.

 Reverted 359370a8b8ca0efe99b1d4630b291ec060b69225 (refs #28645).

 This is a security fix.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.a47f0536e4ff6943bc76da938006a301%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:
                                     |  shangdahao
         Type:  Bug                  |                   Status:  new
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  2.1                  |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

 * keywords:   => 2.1
 * status:  closed => new
 * has_patch:  1 => 0
 * resolution:  fixed =>


Comment:

 Reopening since the fix had to be reverted. We'll try to develop a
 solution for Django 2.1. Probably the solution will be too invasive to
 backport to the stable branches.

 In a mail to the security mailing list, Jack Cushman suggested:

  It's desirable for auth backends to enforce rules like “no inactive
 users” when supplied with otherwise-correct credentials – that’s more of a
 backend concern than a display concern, and forms shouldn’t be required to
 enforce it. But it is desirable for auth forms to show custom error
 messages when an auth backend rejects a user, if and only if the user
 supplied correct credentials. The ideal way to solve both problems would
 be for auth backends to return a tuple of `(user or None,
 custom_error_code or None)`, but that would break backwards compatibility.
 \\ \\
  So, can we let auth backends return custom error codes with backwards
 compatibility? \\ \\
  Attached is an untested patch that hopefully does that, by adding an
 authenticate_with_error_code method that backends can optionally implement
 and forms can optionally consume. I think this is a good angle on the
 problem – it cleans up the can of worms with displaying custom errors, and
 also totally avoids dealing with attacker-submitted data after credentials
 fail to validate, which is key to avoiding any subtle security issues.

 I'll attach the patch, but I haven't evaluated it in much detail.

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.2f5d8c91ff72bd94a0e9c26a5141a74e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:
                                     |  shangdahao
         Type:  Bug                  |                   Status:  new
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  2.1                  |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

 * Attachment "28645-jc.diff" added.


--
Ticket URL: <https://code.djangoproject.com/ticket/28645>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.6c3fd9fe474a52303ef92ed0d14338d5%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:
                                     |  shangdahao
         Type:  Bug                  |                   Status:  new
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  2.1                  |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Christoph Schwarzenberg):

 * cc: Christoph Schwarzenberg (added)


--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.95c31a5017e938e111303a95462983b7%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:
                                     |  shangdahao
         Type:  Bug                  |                   Status:  new
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  2.1                  |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Christoph Schwarzenberg):

 Maybe it is enough to check the supplied password.

 I've modified the code from shangdahao accordingly:
 https://stackoverflow.com/a/49138231/9453030

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:14>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.963637bfc118e34d5f85f33cc3a46dd1%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28645: AuthenticationForm's inactive user error isn't raised when using ModelBackend

Django
In reply to this post by Django
#28645: AuthenticationForm's inactive user error isn't raised when using
ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Guilherme Junqueira  |                    Owner:
                                     |  shangdahao
         Type:  Bug                  |                   Status:  new
    Component:  contrib.auth         |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  2.1                  |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham):

 That approach may leak whether or not a username exists because of the
 time it takes to hash a password. For user names that exist, password
 hashing will run twice compared to once for user names that don't exist.
 See #20760 for a past example.

--
Ticket URL: <https://code.djangoproject.com/ticket/28645#comment:15>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/068.263dce880a9df706e151b53a015ac534%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.