[PATCH v2] auth: let users log in using their email address
Mads Kiilerich
mads at kiilerich.com
Sat May 16 21:12:20 EDT 2015
On 05/17/2015 02:11 AM, Andrew Shadura wrote:
> Hello,
>
> On Sun, 17 May 2015 01:50:56 +0200
> Mads Kiilerich <mads at kiilerich.com> wrote:
>
>>> diff --git a/kallithea/controllers/login.py
>>> b/kallithea/controllers/login.py ---
>>> a/kallithea/controllers/login.py +++
>>> b/kallithea/controllers/login.py @@ -121,9 +121,15 @@ class
>>> LoginController(BaseController): session.invalidate()
>>> c.form_result =
>>> login_form.to_python(dict(request.POST)) # form checks for
>>> username/password, now we're authenticated +
>>> + username = c.form_result['username']
>>> + if '@' in username:
>>> + username = User.get_by_email(username).username
>> This will still fail if the username not is a valid email address?
> No, as this code will never be executed (input rejected by a validator
> first).
>
> Correct me if I'm wrong, but if I read the code correctly, the check
> here will have no effect (which is why I haven't added it).
Ok. The explanation explains it. The code do however seem fragile and
non-obvious when reading it. An extra check or a clear comment would help.
Next, my first thought is whether the form validation check somehow
should rewrite the login ... but that also seems wrong.
My next (and correct?) thought is that it is wrong to use form
validation for login check. As your patches shows, it is ok that the
login process _not_ is user friendly. How about dropping the login form
validation of usernames/password first (perhaps except for "non-empty")?
What's your thought?
/Mads
More information about the kallithea-general
mailing list