Admin app should not allow username discovery

The admin app login form should not allow users to discover the username associated with an email address.
2012-08-20 11:17:26 +08:00 · 2012-08-20 11:17:26 +08:00 · 75118bd242
parent d088b3af58
commit 75118bd242
1 changed files with 1 additions and 14 deletions
--- a/django/contrib/admin/forms.py
+++ b/django/contrib/admin/forms.py
@ -4,8 +4,7 @@ from django import forms

 from django.contrib.auth import authenticate
 from django.contrib.auth.forms import AuthenticationForm
-from django.contrib.auth import get_user_model
-from django.utils.translation import ugettext_lazy, ugettext as _
+from django.utils.translation import ugettext_lazy

 ERROR_MESSAGE = ugettext_lazy("Please enter the correct username and password "
        "for a staff account. Note that both fields are case-sensitive.")
@ -27,18 +26,6 @@ class AdminAuthenticationForm(AuthenticationForm):
        if username and password:
            self.user_cache = authenticate(username=username, password=password)
            if self.user_cache is None:
-                if '@' in username:
-                    # Mistakenly entered e-mail address instead of username? Look it up.
-                    user_model = get_user_model()
-                    try:
-                        user = user_model.objects.get(email=username)
-                    except (user_model.DoesNotExist, user_model.MultipleObjectsReturned):
-                        # Nothing to do here, moving along.
-                        pass
-                    else:
-                        if user.check_password(password):
-                            message = _("Your e-mail address is not your username."
-                                        " Try '%s' instead.") % user.username
                raise forms.ValidationError(message)
            elif not self.user_cache.is_active or not self.user_cache.is_staff:
                raise forms.ValidationError(message)