hotfix merge #772 - yodax/generic-login-message

Make control panel login failed messages generic - don't reveal if an email address has an account on the system.

hotfix merge #772 - yodax/generic-login-message
Make control panel login failed messages generic - don't reveal if an email address has an account on the system.
3843f634 · Joshua Tauberer · 703e6795 · 3843f634 · 3843f634
Commit 3843f634 authored Mar 26, 2016 by Joshua Tauberer
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

CHANGELOG.md CHANGELOG.md +1 -0

daemon.py management/daemon.py +2 -2

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ Mail:
 Control panel:

 * Prevent click-jacking of the management interface by adding HTTP headers.
+* Failed login no longer reveals whether an account exists on the system.

 Setup:


--- a/management/daemon.py
+++ b/management/daemon.py
@@ -49,7 +49,7 @@ def authorized_personnel_only(viewfunc):
 		except ValueError as e:
 			# Authentication failed.
 			privs = []
-			error = str(e)
+			error = "Incorrect username or password"

 		# Authorized to access an API view?
 		if "admin" in privs:
@@ -125,7 +125,7 @@ def me():
 	except ValueError as e:
 		return json_response({
 			"status": "invalid",
-			"reason": str(e),
+			"reason": "Incorrect username or password",
 			})

 	resp = {