On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd] <cal.leem...@simplicitymedialtd.co.uk> wrote: > +1, if the user/pass is entered, that user is entitled so know what its own > permissions are. > The error should give "You have insufficient access to this page" or > something like that.
The thing is: if someone does a brute force attack on '/admin/' and gets this message back, they know there's a user with that login/password in the system. Since brute force attacks using common login/password pairs in this kinds of urls is so common, I think this exposes your user more than necessary. -1 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
