On Mar 16, 12:11 am, Tai Lee <real.hu...@mrmachine.net> wrote: > Assuming that any authenticated user might be an attacker who has > brute forced a password and presenting obscure error messages to > authenticated users is not helping anybody.
I agree with this, and with the many people in this thread who have come to the conclusion that there is no significant security benefit to the obfuscated error message here. So I would be +1 to change it. However, if there are core devs who still feel that there's some security issue here (Russell?), Paul presented early on what I think is a pretty good compromise: keep the error message the same in all cases, but append "or you don't have permission to log in here." so it actually covers the possible cases and isn't quite so misleading. I think that change should be uncontroversial. Carl -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
