From 65ed32f86671f0057ce9c1562a55c984e1f470d6 Mon Sep 17 00:00:00 2001 From: Sven Hertle Date: Thu, 11 Aug 2016 12:45:53 +0200 Subject: [PATCH] Unsuccessful logins are logged even if access log is disabled --- axes/decorators.py | 3 ++- axes/tests.py | 8 ++++++++ docs/configuration.rst | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/axes/decorators.py b/axes/decorators.py index 66cc045..9e7b58b 100644 --- a/axes/decorators.py +++ b/axes/decorators.py @@ -202,7 +202,8 @@ def watch_login(func): user_agent = request.META.get('HTTP_USER_AGENT', '')[:255] http_accept = request.META.get('HTTP_ACCEPT', '')[:1025] path_info = request.META.get('PATH_INFO', '')[:255] - if not getattr(settings, 'AXES_DISABLE_ACCESS_LOG', False): + if not getattr(settings, 'AXES_DISABLE_ACCESS_LOG', False) or \ + login_unsuccessful: AccessLog.objects.create( user_agent=user_agent, ip_address=get_ip(request), diff --git a/axes/tests.py b/axes/tests.py index afa1928..f63577e 100644 --- a/axes/tests.py +++ b/axes/tests.py @@ -260,6 +260,14 @@ class AccessAttemptTest(TestCase): self.assertEquals(AccessLog.objects.all().count(), 0) self.assertContains(response, 'Logged out') + @override_settings(AXES_DISABLE_ACCESS_LOG=True) + def test_valid_logout_without_log(self): + AccessLog.objects.all().delete() + + response = self._login(is_valid_username=True, is_valid_password=False) + + self.assertEquals(AccessLog.objects.all().count(), 1) + class UtilsTest(TestCase): def test_iso8601(self): diff --git a/docs/configuration.rst b/docs/configuration.rst index 53d2a50..730ed4e 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -60,4 +60,4 @@ These should be defined in your ``settings.py`` file. Default: ``False`` * ``AXES_REVERSE_PROXY_HEADER``: If ``AXES_BEHIND_REVERSE_PROXY`` is ``True``, it will look for the IP address from this header. Default: ``HTTP_X_FORWARDED_FOR`` -* ``AXES_DISABLE_ACCESS_LOG``: If ``True``, successful logins will not be logged, so the access log shown in the admin interface is empty. +* ``AXES_DISABLE_ACCESS_LOG``: If ``True``, successful logins will not be logged, so the access log shown in the admin interface will only list unsuccessful login attempts.