Ladies and gentlemen,
Thanks for all the feedback, a patch is in ticket 16837:
https://code.djangoproject.com/ticket/16837
Feel free to try and review the patch.
Best regards and for now, good night.
Wim
On 13 sep, 23:42, Jacob Kaplan-Moss wrote:
> Hi folks --
>
> I agree 100% with what Russ
Hi folks --
I agree 100% with what Russ had to say on the ticket: leaking
information about admin accounts isn't OK, and we won't change that.
If someone would like to submit a patch with different wording that
covers all cases -- "this is an invalid user/password for admin
access" or somesuch --
On Tue, Sep 13, 2011 at 11:24 AM, Adam Jenkins wrote:
> +1 on making the error say more than incorrect username/password. That
> is confusing. In regards to leaking information about the user. The
> error message in general could be changed to something like this, of
> course with better wording:
-1
If a person brute forces your site and finds the correct username /
password they could try this on other sites (gmail, banking, etc..)
While it would make it a little more clear I think the implications
are too big.
On Sep 13, 3:14 pm, Adam Jenkins wrote:
> On Tue, Sep 13, 2011 at 12:42 PM,
The correct approach is to give a "one size fits all" error message.
While security is important, so also is user experience.
On 9/13/11, Adam Jenkins wrote:
> On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen wrote:
>> Hi, thanks for your quick responses!
>>
>> Flavio, Jan and Florian, it only "give
On Tue, Sep 13, 2011 at 12:42 PM, Wim Feijen wrote:
> Hi, thanks for your quick responses!
>
> Flavio, Jan and Florian, it only "gives away information" when an
> attacker guesses both the username and the password right.
I think this is the correct approach. Give them the access warning on
corre
Hmm, actually my text was supposed to go below the quotes, but apperently
the new google interface is a bit buggy -- nevertheless I hope you still
understand the point I am trying to make even without correct quoting order…
--
You received this message because you are subscribed to the Google G
On Tue, Sep 13, 2011 at 12:27 PM, Anssi Kääriäinen
wrote:
> On Sep 13, 8:24 pm, Adam Jenkins wrote:
> > +1 on making the error say more than incorrect username/password. That
> > is confusing. In regards to leaking information about the user. The
> > error message in general could be changed to s
Hi,
On Tuesday, September 13, 2011 7:42:24 PM UTC+2, Wim Feijen wrote:
>
> Flavio, Jan and Florian, it only "gives away information" when an
> attacker guesses both the username and the password right.
>
No! Assume the admin view is the only login view in your project (since it
only consists o
On Sep 13, 8:24 pm, Adam Jenkins wrote:
> +1 on making the error say more than incorrect username/password. That
> is confusing. In regards to leaking information about the user. The
> error message in general could be changed to something like this, of
> course with better wording:
>
> "Username
On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd]
wrote:
> +1, if the user/pass is entered, that user is entitled so know what its own
> permissions are.
> The error should give "You have insufficient access to this page" or
> something like that.
The thing is: if someone does a
+1 again.
If a correct username and password combination are given, the person
submitting the credentials should know that he doesn't have access
just like cal pointed out. Its unfair and frustrating to say that the
combination is wrong
On 9/13/11, Cal Leeming [Simplicity Media Ltd]
wrote:
> +1,
Hi, thanks for your quick responses!
Flavio, Jan and Florian, it only "gives away information" when an
attacker guesses both the username and the password right.
But if he can guess those right, he could already access the users
information using the normal login! So giving this message does not
+1 on making the error say more than incorrect username/password. That
is confusing. In regards to leaking information about the user. The
error message in general could be changed to something like this, of
course with better wording:
"Username and password incorrect or access to this page restri
I can imagine several situation where you would like the user not to know
that, until they talk to an administrator.
-1 for me too, both giving away user info and giving info to the user that
would be better given by a talk to an administrator.
2011/9/13 Cal Leeming [Simplicity Media Ltd] <
cal.l
+1, if the user/pass is entered, that user is entitled so know what its own
permissions are.
The error should give "You have insufficient access to this page" or
something like that.
Cal
On Tue, Sep 13, 2011 at 6:12 PM, Florian Apolloner wrote:
> -1, This would leak information about the users
-1, This would leak information about the users (But I am sure that's
discussed at length in the other threads)
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/djang
+1
On 9/13/11, Wim Feijen wrote:
> Hello,
>
> When a user tries to login on the admin, with correct username &
> password, but is_staff is set to False, the error message is
> misleadingly wrong:
>
> "Please enter a correct username and password. Note that both fields
> are case-sensitive."
>
> T
18 matches
Mail list logo
