newforms-admin: Fixed #6943 and #7263 -- Handle multiple e-mail addresses when checking if it was mistakenly entered. Also prevent e-mail guessing by checking password before throwing an error. Thanks Michael Newman and Valera Grishin.

git-svn-id: http://code.djangoproject.com/svn/django/branches/newforms-admin@7694 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-07-03 09:19:16 +00:00 · 2008-06-18 19:05:16 +00:00 · 2008-06-18 19:05:16 +00:00 · 308cef4068
commit 308cef4068
parent 86a946a1a6
2 changed files with 29 additions and 2 deletions
--- a/django/contrib/admin/sites.py
+++ b/django/contrib/admin/sites.py
@ -226,10 +226,14 @@ class AdminSite(object):
                # Mistakenly entered e-mail address instead of username? Look it up.
                try:
                    user = User.objects.get(email=username)
-                except User.DoesNotExist:
+                except (User.DoesNotExist, User.MultipleObjectsReturned):
                    message = _("Usernames cannot contain the '@' character.")
                else:
-                    message = _("Your e-mail address is not your username. Try '%s' instead.") % user.username
+                    if user.check_password(password):
+                        message = _("Your e-mail address is not your username."
+                                    " Try '%s' instead." % user.username) 
+                    else:
+                        message = _("Usernames cannot contain the '@' character.")
            return self.display_login_form(request, message)

        # The user data is correct; log in the user in and continue.
--- a/tests/regressiontests/admin_views/tests.py
+++ b/tests/regressiontests/admin_views/tests.py
@ -49,6 +49,14 @@ class AdminViewPermissionsTest(TestCase):
                     LOGIN_FORM_KEY: 1,
                     'username': 'super',
                     'password': 'secret'}
+        self.super_email_login = {'post_data': _encode_post_data({}),
+                     LOGIN_FORM_KEY: 1,
+                     'username': 'super@example.com',
+                     'password': 'secret'}
+        self.super_email_bad_login = {'post_data': _encode_post_data({}),
+                      LOGIN_FORM_KEY: 1,
+                      'username': 'super@example.com',
+                      'password': 'notsecret'}
        self.adduser_login = {'post_data': _encode_post_data({}),
                     LOGIN_FORM_KEY: 1,
                     'username': 'adduser',
@ -83,6 +91,21 @@ class AdminViewPermissionsTest(TestCase):
        self.assertFalse(login.context)
        self.client.get('/test_admin/admin/logout/')
        
+        # Test if user enters e-mail address
+        request = self.client.get('/test_admin/admin/')
+        self.failUnlessEqual(request.status_code, 200)
+        login = self.client.post('/test_admin/admin/', self.super_email_login)
+        print login
+        self.assertContains(login, "Your e-mail address is not your username")
+        # only correct passwords get a username hint
+        login = self.client.post('/test_admin/admin/', self.super_email_bad_login)
+        self.assertContains(login, "Usernames cannot contain the &#39;@&#39; character")
+        new_user = User(username='jondoe', password='secret', email='super@example.com')
+        new_user.save()
+        # check to ensure if there are multiple e-mail addresses a user doesn't get a 500
+        login = self.client.post('/test_admin/admin/', self.super_email_login)
+        self.assertContains(login, "Usernames cannot contain the &#39;@&#39; character")        
+        
        # Add User
        request = self.client.get('/test_admin/admin/')
        self.failUnlessEqual(request.status_code, 200)