Fixed documentation about HIDE_INVALID_LOGINS

CHANGES.rst

@@ -11,6 +11,9 @@ Added
 
 - ``DISABLE_PASSWORD_RESET`` configuration option to disable password recovery. :pr:`46`
 
+Fixed
+*****
+- ``HIDE_INVALID_LOGIN`` behavior and default value.
 
 [0.0.8] - 2022-03-15
 ====================

canaille/conf/config.sample.toml

@@ -33,12 +33,14 @@ OIDC_METADATA_FILE = "canaille/conf/openid-configuration.json"
 # If you have a sentry instance, you can set its dsn here:
 # SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"
 
-# If HIDE_INVALID_LOGINS is set to true, when a user tries to sign in with
-# an invalid login, a message is shown saying that the login does not
-# exist. If HIDE_INVALID_LOGINS is set to false (the default) a message is
-# shown saying that the password is wrong, but does not give a clue
-# wether the login exists or not.
-# HIDE_INVALID_LOGINS = false
+# If HIDE_INVALID_LOGINS is set to true (the default), when an user
+# tries to sign in with an invalid login, a message is shown indicating
+# that the password is wrong, but does not give a clue wether the login
+# exists or not.
+# If HIDE_INVALID_LOGINS is set to false, when an user tries to sign in with
+# an invalid login, a message is shown indicating that the login does not
+# exist.
+# HIDE_INVALID_LOGINS = true
 
 # If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password
 # recovery link by email. This option is true by default.

canaille/forms.py

@@ -31,7 +31,7 @@ def unique_group(form, field):
 
 
 def existing_login(form, field):
-    if current_app.config.get("HIDE_INVALID_LOGINS", False) and not User.get(
+    if not current_app.config.get("HIDE_INVALID_LOGINS", True) and not User.get(
         field.data
     ):
         raise wtforms.ValidationError(

demo/conf-docker/canaille.toml

@@ -33,12 +33,14 @@ OIDC_METADATA_FILE = "conf/openid-configuration.json"
 # If you have a sentry instance, you can set its dsn here:
 # SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"
 
-# If HIDE_INVALID_LOGINS is set to true, when a user tries to sign in with
-# an invalid login, a message is shown saying that the login does not
-# exist. If HIDE_INVALID_LOGINS is set to false (the default) a message is
-# shown saying that the password is wrong, but does not give a clue
-# wether the login exists or not.
-# HIDE_INVALID_LOGINS = false
+# If HIDE_INVALID_LOGINS is set to true (the default), when an user
+# tries to sign in with an invalid login, a message is shown indicating
+# that the password is wrong, but does not give a clue wether the login
+# exists or not.
+# If HIDE_INVALID_LOGINS is set to false, when an user tries to sign in with
+# an invalid login, a message is shown indicating that the login does not
+# exist.
+# HIDE_INVALID_LOGINS = true
 
 # If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password
 # recovery link by email. This option is true by default.

demo/conf/canaille.toml

@@ -33,12 +33,14 @@ OIDC_METADATA_FILE = "conf/openid-configuration.json"
 # If you have a sentry instance, you can set its dsn here:
 # SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"
 
-# If HIDE_INVALID_LOGINS is set to true, when a user tries to sign in with
-# an invalid login, a message is shown saying that the login does not
-# exist. If HIDE_INVALID_LOGINS is set to false (the default) a message is
-# shown saying that the password is wrong, but does not give a clue
-# wether the login exists or not.
-# HIDE_INVALID_LOGINS = false
+# If HIDE_INVALID_LOGINS is set to true (the default), when an user
+# tries to sign in with an invalid login, a message is shown indicating
+# that the password is wrong, but does not give a clue wether the login
+# exists or not.
+# If HIDE_INVALID_LOGINS is set to false, when an user tries to sign in with
+# an invalid login, a message is shown indicating that the login does not
+# exist.
+# HIDE_INVALID_LOGINS = true
 
 # If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password
 # recovery link by email. This option is true by default.

tests/test_account.py

@@ -123,7 +123,7 @@ def test_impersonate(testclient, slapd_connection, logged_admin, user):
 
 
 def test_wrong_login(testclient, slapd_connection, user):
-    testclient.app.config["HIDE_INVALID_LOGINS"] = False
+    testclient.app.config["HIDE_INVALID_LOGINS"] = True
 
     res = testclient.get("/login", status=200)
     res.form["login"] = "invalid"
@@ -134,12 +134,12 @@ def test_wrong_login(testclient, slapd_connection, user):
     res = res.form.submit(status=200)
     assert "The login 'invalid' does not exist" not in res.text
 
-    testclient.app.config["HIDE_INVALID_LOGINS"] = True
+    testclient.app.config["HIDE_INVALID_LOGINS"] = False
 
     res = testclient.get("/login", status=200)
     res.form["login"] = "invalid"
     res = res.form.submit(status=200)
-    assert "The login 'invalid' does not exist" in res.text, res.text
+    assert "The login 'invalid' does not exist" in res.text
 
 
 def test_admin_self_deletion(testclient, slapd_connection):

tests/test_forgotten_password.py

@@ -30,7 +30,7 @@ def test_password_forgotten_invalid_form(smtpd, testclient, slapd_connection, us
 
 
 def test_password_forgotten_invalid(smtpd, testclient, slapd_connection, user):
-    testclient.app.config["HIDE_INVALID_LOGINS"] = False
+    testclient.app.config["HIDE_INVALID_LOGINS"] = True
     res = testclient.get("/reset", status=200)
 
     res.form["login"] = "i-dont-really-exist"
@@ -38,7 +38,7 @@ def test_password_forgotten_invalid(smtpd, testclient, slapd_connection, user):
     assert "A password reset link has been sent at your email address." in res.text
     assert "The login 'i-dont-really-exist' does not exist" not in res.text
 
-    testclient.app.config["HIDE_INVALID_LOGINS"] = True
+    testclient.app.config["HIDE_INVALID_LOGINS"] = False
     res = testclient.get("/reset", status=200)
 
     res.form["login"] = "i-dont-really-exist"