Improve error message for deactivated users login #61
Comments
|
This looks to be a regression in Django that has been fixed in 2.x. See: https://code.djangoproject.com/ticket/28645 Maybe we should try to address #28 first. |
|
Actually, the fix was also added to Django 1.11.8 but then it was reverted in both versions for security concerns. Django's plan is to fix it in 2.1 but the solution will probably be too invasive to backport to older versions. The workaround in https://stackoverflow.com/a/49138231/9453030 may leak whether or not a username exists because of the time it takes to hash a password and it will increase the possibility of timing attacks. If this is not critical, we should wait for Django 2.1. |
|
@stefanabreitwieser, I'd appreciate to hear your thoughts about this issue. |
|
Hi @jraddaoui -- so if I'm understanding correctly, fixing the error message requires a future release of Django and current solutions aren't ideal? This is not a critical issue -- let's keep it open for now and return to it when the solution is easier or if we have time at the end of the project. Thanks! @bunekcca -- just tagging you so you see this! |
|
@stefanabreitwieser, that's right :( |
|
Checked this issue locally after upgrading to Django and it looks like it has not been addressed yet in Django 2.1.1 :( |
|
Okay, no worries, this is low-priority. If Django is updated again during the project then we can update, but if not, then it's not a huge issue. |
If an account is deactivated, on the login page display a different error message. Instead of "Please enter a correct username and password. Note that both fields may be case-sensitive." display "Your account has been disabled, please contact the reference librarian".
The text was updated successfully, but these errors were encountered: