Filter messages that can be displayed on the login page
Being able to show specific error messages on the login page would be useful and make for a nicer user experience, particularly after having to force logout a user or after preventing logging in for various reasons.
Only messages that have been explicitly marked as ok for the login page should be displayed.
See bug 1165702, and from review https:/
"There's actually a very explicit reason we *don't* display the messages on the login screen: it can be a security hole and/or hugely confusing by way of displaying accumulated messages that should only be presented to a logged in user to whomever next lands on that login page with that browser.
Somewhere there's a ticket about having a better way to filter messages that should *only* be displayed on the login screen, but that hasn't been implemented yet. I'm open to other ideas/implement
I couldn't find the other ticket or blueprint for this so I created this one.
Blueprint information
- Status:
- Complete
- Approver:
- Gabriel Hurley
- Priority:
- Low
- Drafter:
- Julie Pichon
- Direction:
- Approved
- Assignee:
- Julie Pichon
- Definition:
- Approved
- Series goal:
- Accepted for havana
- Implementation:
- Implemented
- Milestone target:
- 2013.2
- Started by
- Julie Pichon
- Completed by
- David Lyle
Related branches
Related bugs
Sprints
Whiteboard
[jpichon] Using the messages framework here may not be the best option even with the extra tags, as the system isn't really designed for selecting only a subset of the messages (either you take them all out of the storage, or reset them all) without messing with the internals of the message storage.
Likewise we are limited in what we can do on the login page itself, since we only control the templates (of which there are multiple, some with our Javascript loaded and some without (splash.html) - not sure of the rationale for the difference). The rest is handled by whatever authentication backend is in use.
Useful suggestion from mrunge: working on the assumption of a logout page instead, that can handle displaying the logout reason. Unfortunately the same limitations as the login page apply, as a call to the auth backend is required first in order to properly log a user out.
[lblanchard 8-13-13] It would definitely be useful, if we are to introduce a time out in the application, to identify if a user has been logged out due to timeout. I think the way we generalize an error message of "Invalid username or password." is a good way to stay secure.
[jpichon] Indeed, I think the main use case for this blueprint is explaining to the user why they have been logged out, or failed to log in. We do have a session time out implemented and I'm using it as one of the ways to test this.
[2013-08-27 | Gabriel] Bumping this to the next release cycle since we still don't have an obvious right answer here.
[2013-08-28 | jpichon] So... I finally have a working PoC, that uses a short-lived cookie-based approach. If this is acceptable, I think the change is small enough to be made this cycle. As a proof of concept I updated the following to make use of it:
- Updating your own password via the Settings
- Session time out (I think this one's particularly important)
- Error 401
I'll post up for comments.
Gerrit topic: https:/
Addressed by: https:/
Display a message on the login page