+1 on making the error say more than incorrect username/password. That is confusing. In regards to leaking information about the user. The error message in general could be changed to something like this, of course with better wording:
"Username and password incorrect or access to this page restricted". The current status is that we are telling the user something this is incorrect. I've actually run into this situation before where I had a user reset their password a few times before coming to me. On Tue, Sep 13, 2011 at 12:18 PM, Jan Schotsmans <enlight...@gmail.com> wrote: > I can imagine several situation where you would like the user not to know > that, until they talk to an administrator. > -1 for me too, both giving away user info and giving info to the user that > would be better given by a talk to an administrator. > > 2011/9/13 Cal Leeming [Simplicity Media Ltd] > <cal.leem...@simplicitymedialtd.co.uk> >> >> +1, if the user/pass is entered, that user is entitled so know what its >> own permissions are. >> The error should give "You have insufficient access to this page" or >> something like that. >> Cal >> >> On Tue, Sep 13, 2011 at 6:12 PM, Florian Apolloner <f.apollo...@gmail.com> >> wrote: >>> >>> -1, This would leak information about the users (But I am sure that's >>> discussed at length in the other threads) >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Django developers" group. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msg/django-developers/-/5iy7pazGNGkJ. >>> To post to this group, send email to django-developers@googlegroups.com. >>> To unsubscribe from this group, send email to >>> django-developers+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/django-developers?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to django-developers@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
