I have just read whole thread again and I'm happy to see there are many
people supporting my proposal. They have written thorough objections to
criticism.
So what would be the decision on this issue? Would Django make good guys'
life harder while nothing changes for bad guys?
Hello.
I'
OTOH, I don't see a valid usage scenario not involving an admin who
has 2 accounts in the system and forgot which one was the proper one.
PS. If you're really concerned about messages from admin you should be
really outraged by _("Your e-mail address is not your username. Try
'%s' instead.")
Again: this change does not compromise security, because it's effect is
visible only *after* security is compromised: when attacker has valid
username and password for the site.
I understand that the "correct" message is another, but I do not see
why it has to amend the current when the chan
If I'm a smart attacker, I will pay attention to the error message I get
back from my failed login attempts.
If you're a smart attacker, you won't bruteforce credentials for admin
site, you will bruteforce credentials for main site. This way you'd get
much more credentials, if credentials f
I'm quoting first message in thread:
"I want to emphasize once more that when username/password combination is
wrong, message should be about wrong credentials. But when
username/password combination is correct, message should be about
permissions."
Bruteforcing isn't related to desired
Suppose I'm an attacker. I have obtained valid username and password. I
tried those on main site and it worked. I tried those on admin site and it
didn't work. I understand that is_staff=False for this user. This is open
information.
Yet some people try to hide this open information from go
Hello.
I've recently reported a bug[1] in django but got advice to discuss it
here on django-developers first.
When a user having is_staff=False provides correct username and password
to admin login page, he gets a message "Please enter a correct username
and password. Note that both fie