You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.
Reporter: avarab[at]gmail.com [Submitted to the original trac issue database at 1.47am, Wednesday, 3rd June 2009]
Create a user
Don't confirm it with the e-mail auth
Try to log in with the correct user/password
Try to log in with the correct user/wrong password
If the user is not authenticated and someone enters the password for that user incorrectly the web UI will whine about not being able to log in with those details. That's silly, if the user is unconfirmed it should whine about that regardless of whether an incorrect password is entered.
Relevant code in the user controller:
user = User.authenticate(:username => email_or_display_name, :password => pass)
if user
session[:user] = user.id
if params[:referer]
redirect_to params[:referer]
else
redirect_to :controller => 'site', :action => 'index'
end
return
elsif User.authenticate(:username => email_or_display_name, :password => pass, :inactive => true)
notice = I18n.t('user.login.account not active')
else
notice = I18n.t('user.login.auth failure')
end
The text was updated successfully, but these errors were encountered:
Author: tom[at]compton.nu [Added to the original trac issue at 7.30am, Wednesday, 3rd June 2009]
This is a difficult area - it is generally considered to be good security practice not to indicate exactly why a login failed as it makes it easier for somebody searching for valid credentials to know which value to change next time round.
Author: TomH [Added to the original trac issue at 3.44pm, Friday, 26th February 2010]
I really don't see that this is an issue - the first thing that somebody is going to do when being told that it "could not log in with those details" is to try again at which point they will probably get the password correct and will be told the account is not active yet.
The only gain here is that somebody that hasn't confirmed their account and who types their password wrongly will be reminded to confirm the account without having to go to the trouble of typing their password again.
Reporter: avarab[at]gmail.com
[Submitted to the original trac issue database at 1.47am, Wednesday, 3rd June 2009]
If the user is not authenticated and someone enters the password for that user incorrectly the web UI will whine about not being able to log in with those details. That's silly, if the user is unconfirmed it should whine about that regardless of whether an incorrect password is entered.
Relevant code in the user controller:
The text was updated successfully, but these errors were encountered: