From 2c5e5e56770afdcbc1283dbcade19e6ae7c763de Mon Sep 17 00:00:00 2001
From: Michel Oosterhof <michel@oosterhof.net>
Date: Wed, 21 Jan 2015 21:43:36 +0000
Subject: [PATCH] add password denials

---
 kippo/core/auth.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kippo/core/auth.py b/kippo/core/auth.py
index 7685aa4..dfb77f4 100644
--- a/kippo/core/auth.py
+++ b/kippo/core/auth.py
@@ -68,8 +68,12 @@ class UserDB(object):
     def checklogin(self, thelogin, thepasswd):
         '''check entered username/password against database'''
         '''note that it allows multiple passwords for a single username'''
-
+        '''it also knows wildcard '*' for any password'''
+        '''prepend password with ! to explicitly deny it. Denials must come before wildcards'''
         for (login, uid, passwd) in self.userdb:
+            # explicitly fail on !password
+            if login == thelogin and passwd == '!'+thepasswd:
+                return False
             if login == thelogin and passwd in (thepasswd, '*'):
                 return True
         return False