# HG changeset patch
# User Andrew Shadura <andrew@shadura.me>
# Date 1431788631 -7200
# Node ID b75f1d0753d60db4924191e63811840f368e5ecd
# Parent  de9a3152c2064c08e6c7bc2f0066b2c5b064ad60
privacy: don't tell users what is the reason for a failed login

Makes it harder for strangers to probe the instance for presence of
certain users. This can make it harder to break in, as it is now
harder to tell is a username or a password are wrong, so bruteforcing
should probably take a bit longer if you don't know what exactly are
you doing.

diff -r de9a3152c206 -r b75f1d0753d6 kallithea/model/validators.py
--- a/kallithea/model/validators.py	Fri Jul 31 15:44:07 2015 +0200
+++ b/kallithea/model/validators.py	Sat May 16 17:03:51 2015 +0200
@@ -298,9 +298,7 @@
 def ValidAuth():
     class _validator(formencode.validators.FancyValidator):
         messages = {
-            'invalid_password': _('Invalid password'),
-            'invalid_username': _('Invalid username'),
-            'disabled_account': _('Account has been disabled')
+            'invalid_auth': _(u'Invalid username or password'),
         }
 
         def validate_python(self, value, state):
@@ -315,16 +313,15 @@
                 user = User.get_by_username(username)
                 if user and not user.active:
                     log.warning('user %s is disabled' % username)
-                    msg = M(self, 'disabled_account', state)
+                    msg = M(self, 'invalid_auth', state)
                     raise formencode.Invalid(msg, value, state,
-                        error_dict=dict(username=msg)
+                        error_dict=dict(username=' ', password=msg)
                     )
                 else:
                     log.warning('user %s failed to authenticate' % username)
-                    msg = M(self, 'invalid_username', state)
-                    msg2 = M(self, 'invalid_password', state)
+                    msg = M(self, 'invalid_auth', state)
                     raise formencode.Invalid(msg, value, state,
-                        error_dict=dict(username=msg, password=msg2)
+                        error_dict=dict(username=' ', password=msg)
                     )
     return _validator
 
diff -r de9a3152c206 -r b75f1d0753d6 kallithea/tests/__init__.py
--- a/kallithea/tests/__init__.py	Fri Jul 31 15:44:07 2015 +0200
+++ b/kallithea/tests/__init__.py	Sat May 16 17:03:51 2015 +0200
@@ -215,7 +215,7 @@
                                  {'username': username,
                                   'password': password})
 
-        if 'invalid user name' in response.body:
+        if 'Invalid username or password' in response.body:
             self.fail('could not login using %s %s' % (username, password))
 
         self.assertEqual(response.status, '302 Found')
diff -r de9a3152c206 -r b75f1d0753d6 kallithea/tests/functional/test_login.py
--- a/kallithea/tests/functional/test_login.py	Fri Jul 31 15:44:07 2015 +0200
+++ b/kallithea/tests/functional/test_login.py	Sat May 16 17:03:51 2015 +0200
@@ -129,8 +129,7 @@
                                  {'username': 'error',
                                   'password': 'test12'})
 
-        response.mustcontain('Invalid username')
-        response.mustcontain('Invalid password')
+        response.mustcontain('Invalid username or password')
 
     # verify that get arguments are correctly passed along login redirection
 
@@ -187,8 +186,7 @@
                                  {'username': 'error',
                                   'password': 'test12'})
 
-        response.mustcontain('Invalid username')
-        response.mustcontain('Invalid password')
+        response.mustcontain('Invalid username or password')
         for encoded in args_encoded:
             self.assertIn(encoded, response.form.action)