Mercurial > kallithea

changeset 8302:5b147d0f8927

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: show a clear "Authentication failed" message if login fails after passing form validation log_in_user will only set a session cookie after verifying that the user is valid (for example based on IP). The code is thus safe, but no hint were given to the user if login failed for that reason.
author Mads Kiilerich <mads@kiilerich.com>
date Thu, 26 Mar 2020 17:48:16 +0100
parents afe30226491e
children 2cb54d157d62
files kallithea/controllers/login.py
diffstat 1 files changed, 3 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/controllers/login.py	Tue Mar 24 11:24:05 2020 +0100
+++ b/kallithea/controllers/login.py	Thu Mar 26 17:48:16 2020 +0100
@@ -103,8 +103,9 @@
                 h.flash(e, 'error')
             else:
                 auth_user = log_in_user(user, c.form_result['remember'], is_external_auth=False, ip_addr=request.ip_addr)
-                # TODO: handle auth_user is None as failed authentication?
-                raise HTTPFound(location=c.came_from)
+                if auth_user:
+                    raise HTTPFound(location=c.came_from)
+                h.flash(_('Authentication failed.'), 'error')
         else:
             # redirect if already logged in
             if not request.authuser.is_anonymous: