Description

Disabled account login says the password is wrong, not that the account is disabled.

Steps to reproduce

1. Disable account
2. Try to log in with the account
3. Message says "Sorry, wrong password." - should say that account is disabled

Example

Details

moin 1.3.5

Workaround

--- userform.py.orig    2005-08-22 00:58:19.000000000 +0300
+++ userform.py 2005-08-22 01:01:07.000000000 +0300
@@ -135,7 +135,10 @@
             # Load the user data and check for validness
             theuser = user.User(self.request, name=name, password=password)
             if not theuser.valid:
-                return _("Sorry, wrong password.")
+                if theuser.disabled:
+                    return _('Account "%s" is locked and disabled.') % name
+                else:
+                    return _("Sorry, wrong password.")

             # Save the user and send a cookie
             self.request.user = theuser

If the password is given incorrectly for the disabled account the fact that the account is disabled isn't given away (should it even?), but for the person knowing the password a message tells now that account is disabled.

Discussion

Plan

• Priority:
• Assigned to:
• Status: applied similar patch in moin--main--1.5--patch-207

CategoryMoinMoinBugFixed