#23847: Minor Problem with Auth Documentation
-------------------------------+--------------------
Reporter: xmnr | Owner: nobody
Type: Uncategorized | Status: new
Component: Documentation | Version: 1.7
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
Hello,
In the Django documentation about the authentication system, there are
several snippets of code which may mislead the uninitiated.
https://docs.djangoproject.com/en/1.7/topics/auth/default/#auth-web-
requests
For instance:
def email_check(user):
return '@example.com' in user.email
This is later used by user_passes_test() to authorize a user.
This is a very clear example, but if put into production it would be a
security liability because it doesn't prevent a user from registering with
the email "hac...@example.com.evil.net", or with the upcoming
"hacker@example.computer". I think most developers are wiser than that,
but a novice may not be.
I think this should be emended with the use of
user.email.endswith("@example.com")
--
Ticket URL: <https://code.djangoproject.com/ticket/23847>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/047.2197c581b72e193f39b50c94cdbd06a7%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
