That's fine. Why give more information than necessary? You can not enter and that's it. This is not an error because it is done so on purpose. Less is more. -3
On 11 March 2011 07:18, Jeff Hutchins <compl...@gmail.com> wrote: > +1 for this fix. I don't think that security through obscurity is ever > a good choice. > > On Wed, Mar 9, 2011 at 9:42 AM, Sergiy Kuzmenko <s.kuzme...@gmail.com> > wrote: > > IMO, obscuring the reason for admin site access denial only confuses > > the user. If the attacker has user credentials (and knows admin URL!) > > the big job has already been done and verifying whether that account > > is admin or not is trivial enough. There is no added security in > > displaying wrong error message. I'd rather simply return 403 error in > > this situation. > > > > Sergiy > > > > On Wed, Mar 9, 2011 at 8:18 AM, Yishai Beeri <yis...@platonix.com> > wrote: > >> +1 on this. Messages should not give inaccurate information. > >> > >> I think the current behavior is also eventually detrimental to security. > In > >> a real life setting this leads to superfluous password resets and > helpdesk > >> queries - all leading to worse password choices by the common user, > besides > >> the wasted time and effort. > >> > >> Obviously, the new message should only be shown if the usernamd and > password > >> are matched correctly. > >> > >> Yishai > >> > >> > >> > >> On Wed, 09 Mar 2011 10:39:53 +0200, artemy tregubenko <m...@arty.name> > wrote: > >> > >>> Hello. > >>> > >>> I've recently reported a bug[1] in django but got advice to discuss it > >>> here on django-developers first. > >>> > >>> When a user having is_staff=False provides correct username and > password > >>> to admin login page, he gets a message "Please enter a correct > username and > >>> password. Note that both fields are case-sensitive." This message is > wrong, > >>> because username and password are correct. Proper message should be > >>> something like "You do not have permissions to enter admin area." > >>> > >>> I want to emphasize once more that when username/password combination > is > >>> wrong, message should be about wrong credentials. But when > >>> username/password combination is correct, message should be about > >>> permissions. > >>> > >>> Russellm opposed that idea saying: "This isn't a good idea, because it > can > >>> be used by an attacker to identify admin accounts. This would be a leak > of > >>> potentially sensitive information, narrowing the scope for any attack." > >>> > >>> I consider that point not valid for following reasons: > >>> > >>> * If attacker has no access to any login or password, he will still see > >>> "wrong password" message. > >>> * If attacker has access to login and password of one user, it won't > help > >>> him to know that this user is not an admin. > >>> * If attacker knows all logins and passwords, proposed change won't > make > >>> attack any easier: attacker will just try them one after another. > >>> > >>> That's why I think that proposed change doesn't weaken security and > should > >>> be implemented. > >>> > >>> I'm strongly in favor of this change, because my mind was blown off > when > >>> during debug I could login to a site with my credentials, but not to > admin > >>> section. I've lost some time looking for a bug in my code until I > checked > >>> is_staff flag. > >>> > >>> 1: http://code.djangoproject.com/ticket/15567 > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Django developers" group. > >> To post to this group, send email to django-developers@googlegroups.com > . > >> To unsubscribe from this group, send email to > >> django-developers+unsubscr...@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/django-developers?hl=en. > >> > >> > > > > -- > > You received this message because you are subscribed to the Google Groups > "Django developers" group. > > To post to this group, send email to django-developers@googlegroups.com. > > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
