On Tue, Sep 13, 2011 at 2:16 PM, Cal Leeming [Simplicity Media Ltd] <[email protected]> wrote: > +1, if the user/pass is entered, that user is entitled so know what its own > permissions are. > The error should give "You have insufficient access to this page" or > something like that.
The thing is: if someone does a brute force attack on '/admin/' and gets this message back, they know there's a user with that login/password in the system. Since brute force attacks using common login/password pairs in this kinds of urls is so common, I think this exposes your user more than necessary. -1 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
