[web2py] Automatic login if username contains @ : Is this normal ?

[apinho]

Hi,

I'm working on a site, for my company. I want to give only access to 
accounts :
 - listed in my ldap server
 or
 - listed in local Auth db().

So, I don't want other people to be able to register.
 
This is my Auth() config (Some values I replaced with '*' for 
confidentiallity sake) :
### AUTH 
######################################################################
# Create object
auth                                  = Auth(globals(),db)
# Define settings
auth.settings.hmac_key                = 'sha512:********'
auth.settings.mailer                  = None
auth.settings.remember_me_form        = False
auth.settings.allow_basic_login       = True
auth.settings.login_next              = URL('index')
auth.settings.logout_next             = URL('index')
auth.settings.on_failed_authorization = URL('user',args=
'on_failed_authorization')
auth.settings.login_onvalidation      = []           # func takes form obj, 
can modify attribs of form obj before db IO
auth.settings.login_onaccept          = []           # Func should be 
executed after db IO and before redirection
auth.settings.expiration              = 3600         # seconds
auth.settings.hideerror               = False 
auth.settings.formstyle               = 'table3cols' # "table2cols", "divs" 
and "ul"
auth.settings.long_expiration         = 3600*24*30   # one month
auth.settings.remember_me_form        = True
auth.settings.actions_disabled        = ['register','change_password',
'request_reset_password','retrieve_username',
    'profile']
# Define messages
auth.messages.access_denied           = T('Não tem a necessária permissão 
de acesso')
auth.messages.login_disabled          = T('Login desactivado pelo Admin')
auth.messages.logged_in               = T('Bem-vindo(a) !')
auth.messages.logged_out              = T('Até breve !')
auth.messages.invalid_login           = T('Acesso inválido')
auth.messages.label_username          = T('Utilizador')
auth.messages.label_password          = T('Senha')
auth.messages.label_remember_me       = T('Conservar este acesso aberto 
(Durante 30 dias)')
# LDAP method
auth.settings.login_methods.append(ldap_auth(mode='cn',server=
'****.*****s.com',base_dn='ou=*******,o=*******'))
# Automigrate only if DEVELOPPMENT context
auth.define_tables(migrate=settings.migrate,username=True)
#------------------------------------------------------------------------------ 
 

This works well for me, LDAP works fine too. But I have a problem :
If someone tries to connect to my site, with a username which contains @, 
he is automatically logged in, without event having to give a valid 
password.
You can just type 'blahblah@coocoo', and then Enter, and you're in. Auth 
automatically creates a 'blahblah' user.

Is this behavior normal, or am I missing something ?



--