On 14 March 2011 17:14, Rohit Sethi <rkli...@gmail.com> wrote: > To re-iterate, you would get this message iff you have the correct > credentials for an end user who is not an admin user. You seem to be > referring to Response Information Discrepancy Information Exposure > (http://cwe.mitre.org/data/definitions/204.html) which is generally > about differentiating between incorrect user-name versus incorrect > password. The security benefit here is negligible since the only > scenario it protects against is when an attacker who can access the > admin interface is either unaware or unwilling to try the same attack > on the end user interface.
Which might be a valid concern if your public-facing login interface highly protected, but your admin interface is not (for example, because it's only available on your protected intranet). Sure, it's the edgiest of edge cases and if you care enough, you should have applied the same security measures in the first place. So yes, this most likely is not a security issue at all. OTOH, I don't see a valid usage scenario not involving an admin who has 2 accounts in the system and forgot which one was the proper one. Now we can bikeshed to all eternity that the message is wrong (it's a bit right too - you didn't gave valid creditials for this site. The fact that your main site and admin site use the same user base is an implementation detail), but that won't help anyone. Anyway, Django 1.3 add an option to change the auth form used by admin[1], so changing that message isn't that hard now. Another option I already mentioned is adding extra help text in the template (you can even make it display only if the form is invalid). [1]: http://docs.djangoproject.com/en/dev/ref/contrib/admin/#django.contrib.admin.AdminSite.login_form PS. If you're really concerned about messages from admin you should be really outraged by _("Your e-mail address is not your username. Try '%s' instead.") % user.username -- Łukasz Rekucki -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
