Description
Disabled account login says the password is wrong, not that the account is disabled.
Steps to reproduce
- Disable account
- Try to log in with the account
- Message says "Sorry, wrong password." - should say that account is disabled
Example
Details
moin 1.3.5
Workaround
--- userform.py.orig 2005-08-22 00:58:19.000000000 +0300 +++ userform.py 2005-08-22 01:01:07.000000000 +0300 @@ -135,7 +135,10 @@ # Load the user data and check for validness theuser = user.User(self.request, name=name, password=password) if not theuser.valid: - return _("Sorry, wrong password.") + if theuser.disabled: + return _('Account "%s" is locked and disabled.') % name + else: + return _("Sorry, wrong password.") # Save the user and send a cookie self.request.user = theuser
If the password is given incorrectly for the disabled account the fact that the account is disabled isn't given away (should it even?), but for the person knowing the password a message tells now that account is disabled.
Discussion
Plan
- Priority:
- Assigned to:
- Status: applied similar patch in moin--main--1.5--patch-207