1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-26 02:57:04 +00:00

hotfix merge #772 - yodax/generic-login-message

Make control panel login failed messages generic - don't reveal if an email address has an account on the system.
This commit is contained in:
Joshua Tauberer 2016-03-26 09:22:02 -04:00
parent 703e6795e8
commit 3843f63416
2 changed files with 3 additions and 2 deletions

View File

@ -11,6 +11,7 @@ Mail:
Control panel: Control panel:
* Prevent click-jacking of the management interface by adding HTTP headers. * Prevent click-jacking of the management interface by adding HTTP headers.
* Failed login no longer reveals whether an account exists on the system.
Setup: Setup:

View File

@ -49,7 +49,7 @@ def authorized_personnel_only(viewfunc):
except ValueError as e: except ValueError as e:
# Authentication failed. # Authentication failed.
privs = [] privs = []
error = str(e) error = "Incorrect username or password"
# Authorized to access an API view? # Authorized to access an API view?
if "admin" in privs: if "admin" in privs:
@ -125,7 +125,7 @@ def me():
except ValueError as e: except ValueError as e:
return json_response({ return json_response({
"status": "invalid", "status": "invalid",
"reason": str(e), "reason": "Incorrect username or password",
}) })
resp = { resp = {