Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

Unconfirmed users get a message saying their password is incorrect if they don't enter it correctly #1908

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 2 comments

Comments

@openstreetmap-trac
Copy link

Reporter: avarab[at]gmail.com
[Submitted to the original trac issue database at 1.47am, Wednesday, 3rd June 2009]

  • Create a user
  • Don't confirm it with the e-mail auth
  • Try to log in with the correct user/password
  • Try to log in with the correct user/wrong password

If the user is not authenticated and someone enters the password for that user incorrectly the web UI will whine about not being able to log in with those details. That's silly, if the user is unconfirmed it should whine about that regardless of whether an incorrect password is entered.

Relevant code in the user controller:

     user = User.authenticate(:username => email_or_display_name, :password => pass)
      if user
        session[:user] = user.id
        if params[:referer]
          redirect_to params[:referer]
        else
          redirect_to :controller => 'site', :action => 'index'
        end
        return
      elsif User.authenticate(:username => email_or_display_name, :password => pass, :inactive => true)
        notice = I18n.t('user.login.account not active')
      else
        notice = I18n.t('user.login.auth failure')
      end
@openstreetmap-trac
Copy link
Author

Author: tom[at]compton.nu
[Added to the original trac issue at 7.30am, Wednesday, 3rd June 2009]

This is a difficult area - it is generally considered to be good security practice not to indicate exactly why a login failed as it makes it easier for somebody searching for valid credentials to know which value to change next time round.

@openstreetmap-trac
Copy link
Author

Author: TomH
[Added to the original trac issue at 3.44pm, Friday, 26th February 2010]

I really don't see that this is an issue - the first thing that somebody is going to do when being told that it "could not log in with those details" is to try again at which point they will probably get the password correct and will be told the account is not active yet.

The only gain here is that somebody that hasn't confirmed their account and who types their password wrongly will be reminded to confirm the account without having to go to the trouble of typing their password again.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant