From 75118bd242eec87649da2859e8c50a199a8a1dca Mon Sep 17 00:00:00 2001
From: Thomas Sutton <me@thomas-sutton.id.au>
Date: Mon, 20 Aug 2012 11:17:26 +0800
Subject: [PATCH] Admin app should not allow username discovery
The admin app login form should not allow users to discover the username
associated with an email address.
---
django/contrib/admin/forms.py | 15 +--------------
1 file changed, 1 insertion(+), 14 deletions(-)
diff --git a/django/contrib/admin/forms.py b/django/contrib/admin/forms.py
index 6d72b5b373..f1e7076ece 100644
--- a/django/contrib/admin/forms.py
+++ b/django/contrib/admin/forms.py
@@ -4,8 +4,7 @@ from django import forms
from django.contrib.auth import authenticate
from django.contrib.auth.forms import AuthenticationForm
-from django.contrib.auth import get_user_model
-from django.utils.translation import ugettext_lazy, ugettext as _
+from django.utils.translation import ugettext_lazy
ERROR_MESSAGE = ugettext_lazy("Please enter the correct username and password "
"for a staff account. Note that both fields are case-sensitive.")
@@ -27,18 +26,6 @@ class AdminAuthenticationForm(AuthenticationForm):
if username and password:
self.user_cache = authenticate(username=username, password=password)
if self.user_cache is None:
- if '@' in username:
- # Mistakenly entered e-mail address instead of username? Look it up.
- user_model = get_user_model()
- try:
- user = user_model.objects.get(email=username)
- except (user_model.DoesNotExist, user_model.MultipleObjectsReturned):
- # Nothing to do here, moving along.
- pass
- else:
- if user.check_password(password):
- message = _("Your e-mail address is not your username."
- " Try '%s' instead.") % user.username
raise forms.ValidationError(message)
elif not self.user_cache.is_active or not self.user_cache.is_staff:
raise forms.ValidationError(message)