From 75118bd242eec87649da2859e8c50a199a8a1dca Mon Sep 17 00:00:00 2001 From: Thomas Sutton Date: Mon, 20 Aug 2012 11:17:26 +0800 Subject: [PATCH] Admin app should not allow username discovery The admin app login form should not allow users to discover the username associated with an email address. --- django/contrib/admin/forms.py | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/django/contrib/admin/forms.py b/django/contrib/admin/forms.py index 6d72b5b373..f1e7076ece 100644 --- a/django/contrib/admin/forms.py +++ b/django/contrib/admin/forms.py @@ -4,8 +4,7 @@ from django import forms from django.contrib.auth import authenticate from django.contrib.auth.forms import AuthenticationForm -from django.contrib.auth import get_user_model -from django.utils.translation import ugettext_lazy, ugettext as _ +from django.utils.translation import ugettext_lazy ERROR_MESSAGE = ugettext_lazy("Please enter the correct username and password " "for a staff account. Note that both fields are case-sensitive.") @@ -27,18 +26,6 @@ class AdminAuthenticationForm(AuthenticationForm): if username and password: self.user_cache = authenticate(username=username, password=password) if self.user_cache is None: - if '@' in username: - # Mistakenly entered e-mail address instead of username? Look it up. - user_model = get_user_model() - try: - user = user_model.objects.get(email=username) - except (user_model.DoesNotExist, user_model.MultipleObjectsReturned): - # Nothing to do here, moving along. - pass - else: - if user.check_password(password): - message = _("Your e-mail address is not your username." - " Try '%s' instead.") % user.username raise forms.ValidationError(message) elif not self.user_cache.is_active or not self.user_cache.is_staff: raise forms.ValidationError(message)