- February 15, 2009
- middleware password exception
- 0 (after 0 ratings)
Sometimes when a Django site's authentication backend goes down, a login will fail with a 500 error. This has happened to me when using an LDAP backend for authentication. A glitch with the settings, or ldap temporarily disappearing can make logins flake out for a short period of time.
That's fine, but when a 500 error occurs it e-mails detailed information about the error to the ADMINS. We like this behavior for most errors, but it is quite frustrating when it is a login form with a password as part of a POST. If it is one of us who gets our password e-mailed out, it's even more frustrating. It hits a mailing list first, and goes to the archives to be stored in plain text. It goes to several e-mail inboxes, some of which are not local inboxes.
I decided that enough was enough. Drop this middleware in, and it will change a "password" field in the POST to twenty asterisks. This was the default way to display other sensitive settings on the DEBUG page, so I figured I'd be consistant with that.
This snippet is distributed under the GPLv3 License http://www.gnu.org/licenses/gpl-3.0-standalone.html
1 2 3 4 5 6 7 8 9 10 11 12
import sys from django.core.handlers.base import BaseHandler class NoPasswordExceptionMiddleware(): def process_exception(self, request, exception): if 'password' in request.POST.keys(): post = request.POST.copy() post['password']='********************' request.POST = post b=BaseHandler() exc_info = sys.exc_info() b.handle_uncaught_exception(request,exception,exc_info)