diff --git a/CHANGES.rst b/CHANGES.rst index 7f20e762..1103c78a 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -11,6 +11,9 @@ Added - ``DISABLE_PASSWORD_RESET`` configuration option to disable password recovery. :pr:`46` +Fixed +***** +- ``HIDE_INVALID_LOGIN`` behavior and default value. [0.0.8] - 2022-03-15 ==================== diff --git a/canaille/conf/config.sample.toml b/canaille/conf/config.sample.toml index 7f057711..58a6838d 100644 --- a/canaille/conf/config.sample.toml +++ b/canaille/conf/config.sample.toml @@ -33,12 +33,14 @@ OIDC_METADATA_FILE = "canaille/conf/openid-configuration.json" # If you have a sentry instance, you can set its dsn here: # SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0" -# If HIDE_INVALID_LOGINS is set to true, when a user tries to sign in with -# an invalid login, a message is shown saying that the login does not -# exist. If HIDE_INVALID_LOGINS is set to false (the default) a message is -# shown saying that the password is wrong, but does not give a clue -# wether the login exists or not. -# HIDE_INVALID_LOGINS = false +# If HIDE_INVALID_LOGINS is set to true (the default), when an user +# tries to sign in with an invalid login, a message is shown indicating +# that the password is wrong, but does not give a clue wether the login +# exists or not. +# If HIDE_INVALID_LOGINS is set to false, when an user tries to sign in with +# an invalid login, a message is shown indicating that the login does not +# exist. +# HIDE_INVALID_LOGINS = true # If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password # recovery link by email. This option is true by default. diff --git a/canaille/forms.py b/canaille/forms.py index 3fd5ba6c..41d98b3a 100644 --- a/canaille/forms.py +++ b/canaille/forms.py @@ -31,7 +31,7 @@ def unique_group(form, field): def existing_login(form, field): - if current_app.config.get("HIDE_INVALID_LOGINS", False) and not User.get( + if not current_app.config.get("HIDE_INVALID_LOGINS", True) and not User.get( field.data ): raise wtforms.ValidationError( diff --git a/demo/conf-docker/canaille.toml b/demo/conf-docker/canaille.toml index 551d77f1..5c02cedc 100644 --- a/demo/conf-docker/canaille.toml +++ b/demo/conf-docker/canaille.toml @@ -33,12 +33,14 @@ OIDC_METADATA_FILE = "conf/openid-configuration.json" # If you have a sentry instance, you can set its dsn here: # SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0" -# If HIDE_INVALID_LOGINS is set to true, when a user tries to sign in with -# an invalid login, a message is shown saying that the login does not -# exist. If HIDE_INVALID_LOGINS is set to false (the default) a message is -# shown saying that the password is wrong, but does not give a clue -# wether the login exists or not. -# HIDE_INVALID_LOGINS = false +# If HIDE_INVALID_LOGINS is set to true (the default), when an user +# tries to sign in with an invalid login, a message is shown indicating +# that the password is wrong, but does not give a clue wether the login +# exists or not. +# If HIDE_INVALID_LOGINS is set to false, when an user tries to sign in with +# an invalid login, a message is shown indicating that the login does not +# exist. +# HIDE_INVALID_LOGINS = true # If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password # recovery link by email. This option is true by default. diff --git a/demo/conf/canaille.toml b/demo/conf/canaille.toml index fa3b8746..7fcd7578 100644 --- a/demo/conf/canaille.toml +++ b/demo/conf/canaille.toml @@ -33,12 +33,14 @@ OIDC_METADATA_FILE = "conf/openid-configuration.json" # If you have a sentry instance, you can set its dsn here: # SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0" -# If HIDE_INVALID_LOGINS is set to true, when a user tries to sign in with -# an invalid login, a message is shown saying that the login does not -# exist. If HIDE_INVALID_LOGINS is set to false (the default) a message is -# shown saying that the password is wrong, but does not give a clue -# wether the login exists or not. -# HIDE_INVALID_LOGINS = false +# If HIDE_INVALID_LOGINS is set to true (the default), when an user +# tries to sign in with an invalid login, a message is shown indicating +# that the password is wrong, but does not give a clue wether the login +# exists or not. +# If HIDE_INVALID_LOGINS is set to false, when an user tries to sign in with +# an invalid login, a message is shown indicating that the login does not +# exist. +# HIDE_INVALID_LOGINS = true # If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password # recovery link by email. This option is true by default. diff --git a/tests/test_account.py b/tests/test_account.py index 848b8f67..b7690fe7 100644 --- a/tests/test_account.py +++ b/tests/test_account.py @@ -123,7 +123,7 @@ def test_impersonate(testclient, slapd_connection, logged_admin, user): def test_wrong_login(testclient, slapd_connection, user): - testclient.app.config["HIDE_INVALID_LOGINS"] = False + testclient.app.config["HIDE_INVALID_LOGINS"] = True res = testclient.get("/login", status=200) res.form["login"] = "invalid" @@ -134,12 +134,12 @@ def test_wrong_login(testclient, slapd_connection, user): res = res.form.submit(status=200) assert "The login 'invalid' does not exist" not in res.text - testclient.app.config["HIDE_INVALID_LOGINS"] = True + testclient.app.config["HIDE_INVALID_LOGINS"] = False res = testclient.get("/login", status=200) res.form["login"] = "invalid" res = res.form.submit(status=200) - assert "The login 'invalid' does not exist" in res.text, res.text + assert "The login 'invalid' does not exist" in res.text def test_admin_self_deletion(testclient, slapd_connection): diff --git a/tests/test_forgotten_password.py b/tests/test_forgotten_password.py index 35e5ea3c..c9e65624 100644 --- a/tests/test_forgotten_password.py +++ b/tests/test_forgotten_password.py @@ -30,7 +30,7 @@ def test_password_forgotten_invalid_form(smtpd, testclient, slapd_connection, us def test_password_forgotten_invalid(smtpd, testclient, slapd_connection, user): - testclient.app.config["HIDE_INVALID_LOGINS"] = False + testclient.app.config["HIDE_INVALID_LOGINS"] = True res = testclient.get("/reset", status=200) res.form["login"] = "i-dont-really-exist" @@ -38,7 +38,7 @@ def test_password_forgotten_invalid(smtpd, testclient, slapd_connection, user): assert "A password reset link has been sent at your email address." in res.text assert "The login 'i-dont-really-exist' does not exist" not in res.text - testclient.app.config["HIDE_INVALID_LOGINS"] = True + testclient.app.config["HIDE_INVALID_LOGINS"] = False res = testclient.get("/reset", status=200) res.form["login"] = "i-dont-really-exist"