From 3843f63416b3f185f1505a16c4798b30148e40b2 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 26 Mar 2016 09:22:02 -0400
Subject: [PATCH] hotfix merge #772 - yodax/generic-login-message

Make control panel login failed messages generic - don't reveal if an email address has an account on the system.
---
 CHANGELOG.md         | 1 +
 management/daemon.py | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6469817e..661ca739 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ Mail:
 Control panel:
 
 * Prevent click-jacking of the management interface by adding HTTP headers.
+* Failed login no longer reveals whether an account exists on the system.
 
 Setup:
 
diff --git a/management/daemon.py b/management/daemon.py
index 6de0a59a..04c68a0e 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -49,7 +49,7 @@ def authorized_personnel_only(viewfunc):
 		except ValueError as e:
 			# Authentication failed.
 			privs = []
-			error = str(e)
+			error = "Incorrect username or password"
 
 		# Authorized to access an API view?
 		if "admin" in privs:
@@ -125,7 +125,7 @@ def me():
 	except ValueError as e:
 		return json_response({
 			"status": "invalid",
-			"reason": str(e),
+			"reason": "Incorrect username or password",
 			})
 
 	resp = {