Mercurial > kallithea

changeset 5346:b75f1d0753d6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
privacy: don't tell users what is the reason for a failed login Makes it harder for strangers to probe the instance for presence of certain users. This can make it harder to break in, as it is now harder to tell is a username or a password are wrong, so bruteforcing should probably take a bit longer if you don't know what exactly are you doing.
author Andrew Shadura <andrew@shadura.me>
date Sat, 16 May 2015 17:03:51 +0200
parents de9a3152c206
children 64659280e466
files kallithea/model/validators.py kallithea/tests/__init__.py kallithea/tests/functional/test_login.py
diffstat 3 files changed, 8 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/model/validators.py	Fri Jul 31 15:44:07 2015 +0200
+++ b/kallithea/model/validators.py	Sat May 16 17:03:51 2015 +0200
@@ -298,9 +298,7 @@
 def ValidAuth():
     class _validator(formencode.validators.FancyValidator):
         messages = {
-            'invalid_password': _('Invalid password'),
-            'invalid_username': _('Invalid username'),
-            'disabled_account': _('Account has been disabled')
+            'invalid_auth': _(u'Invalid username or password'),
         }
 
         def validate_python(self, value, state):
@@ -315,16 +313,15 @@
                 user = User.get_by_username(username)
                 if user and not user.active:
                     log.warning('user %s is disabled' % username)
-                    msg = M(self, 'disabled_account', state)
+                    msg = M(self, 'invalid_auth', state)
                     raise formencode.Invalid(msg, value, state,
-                        error_dict=dict(username=msg)
+                        error_dict=dict(username=' ', password=msg)
                     )
                 else:
                     log.warning('user %s failed to authenticate' % username)
-                    msg = M(self, 'invalid_username', state)
-                    msg2 = M(self, 'invalid_password', state)
+                    msg = M(self, 'invalid_auth', state)
                     raise formencode.Invalid(msg, value, state,
-                        error_dict=dict(username=msg, password=msg2)
+                        error_dict=dict(username=' ', password=msg)
                     )
     return _validator
 
--- a/kallithea/tests/__init__.py	Fri Jul 31 15:44:07 2015 +0200
+++ b/kallithea/tests/__init__.py	Sat May 16 17:03:51 2015 +0200
@@ -215,7 +215,7 @@
                                  {'username': username,
                                   'password': password})
 
-        if 'invalid user name' in response.body:
+        if 'Invalid username or password' in response.body:
             self.fail('could not login using %s %s' % (username, password))
 
         self.assertEqual(response.status, '302 Found')
--- a/kallithea/tests/functional/test_login.py	Fri Jul 31 15:44:07 2015 +0200
+++ b/kallithea/tests/functional/test_login.py	Sat May 16 17:03:51 2015 +0200
@@ -129,8 +129,7 @@
                                  {'username': 'error',
                                   'password': 'test12'})
 
-        response.mustcontain('Invalid username')
-        response.mustcontain('Invalid password')
+        response.mustcontain('Invalid username or password')
 
     # verify that get arguments are correctly passed along login redirection
 
@@ -187,8 +186,7 @@
                                  {'username': 'error',
                                   'password': 'test12'})
 
-        response.mustcontain('Invalid username')
-        response.mustcontain('Invalid password')
+        response.mustcontain('Invalid username or password')
         for encoded in args_encoded:
             self.assertIn(encoded, response.form.action)