At the risk of bike-shedding this to death - if the current behavior
included the correct message (user can't access the admin) - would we
seriously consider a ticket asking to replace it with the current
"misleading/more secure" message, for security's sake?
On Wed, 16 Mar 2011 06:11:18 +0200, Tai Lee <real.hu...@mrmachine.net>
wrote:
I also don't think it should be considered a security vulnerability to
reveal that an authenticated user does not have permission to access
the admin (or any other) app.
If the credentials are valid and they authenticate against the defined
authentication backends, then we should assume that we are talking to
a trusted authenticated user and we should present error messages that
are at the very least not misleading.
Assuming that any authenticated user might be an attacker who has
brute forced a password and presenting obscure error messages to
authenticated users is not helping anybody.
Cheers.
Tai.
On Mar 16, 3:41 am, "Brian O'Connor" <gatzby...@gmail.com> wrote:
2011/3/15 Juan Pablo Martínez <jpm...@gmail.com>
> The admin is not "one more app" is (if I may) the app with more weight
> on most sites. Someone who has access to the admin has access to most
> or all information. There is no "one more app. "
This has nothing to do with the argument here. The account in
question, as
already stated many times, has no access to the admin site. That's the
whole point of this discussion.
Carelessness or neglect of a click in the admin should't call into>
question the admin with the justification "that does not happen
> again."
This has to do with deliberately misleading users. I've been stuck by
this
at least once in my django career, and artemy has too. People make
mistakes, it happens.
> I think if everyone is going to fix "contrib" to your needs the
> contrib lost all independence.
I especially don't understand this statement. The whole point of
django-developers is to discuss development of django, and by extension
(because there are no other lists, as far as I'm aware) the contrib
modules. Everyone comes here to help make the project better, to help
fit
their needs. That's the whole point, as far as I'm concerned.
A reasonable suggestion was made, in which a few people came back and
said
that by doing this improvement, it would open a security issue.
Myself, and
others have stated that in fact, this would not be a security issue, and
have provided examples.
At this point, I'll absolutely never forget to check the is_staff flag
purely because I've been following this discussion. What I don't
understand
is why there is such a huge opposition to the change.
--
Brian O'Connor
--
You received this message because you are subscribed to the Google Groups "Django
developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
