Re: [Django] #36325: Inconsistent error handling for inactive users in ModelBackend

Sun, 13 Apr 2025 17:22:43 -0700 

#36325: Inconsistent error handling for inactive users in ModelBackend
-------------------------------------+-------------------------------------
     Reporter:  Ariel Souza          |                    Owner:  (none)
         Type:  Bug                  |                   Status:  closed
    Component:  contrib.auth         |                  Version:  5.2
     Severity:  Normal               |               Resolution:  invalid
     Keywords:                       |             Triage Stage:
  ModelBackend;authenticate          |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by ontowhee):

 * resolution:   => invalid
 * status:  new => closed

Comment:

 Hello! Thanks for the report.

 > As a result, any login attempt with an inactive user results in a
 generic "email or password is incorrect" error message. This is especially
 misleading in the Django Admin, where users expect a specific message
 indicating that the account is inactive.

 Returning a generic error message is desirable from a security perspective
 and is recommended by OWASP:
 
[https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#login].

 > A clear message should be displayed indicating that the account is
 inactive, as raised by confirm_login_allowed.

 The use case you are describing goes against the security practices.
 Closing this ticket because the use case is not aligned with the security
 practices.

 If you need assistance in using Django please feel free to ask for help
 from a friendly community member on [https://chat.djangoproject.com/
 Discord] or the [https://forum.djangoproject.com/ Django forum]
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36325#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019631acbfe1-1e56509a-82ef-4bb2-a09d-6b290a6ae162-000000%40eu-central-1.amazonses.com.

Reply via email to