Ticket #12103: 12103_with_tests.diff

docs/topics/auth.txt

@@ -1045 +1045 @@
 
     A form for logging a user in.
 
+    The ``AuthenticationForm`` rejects users whose ``is_active`` flag is set to ``False``.
+    You may override this behavior with a custom policy to determine which users can log in.
+    Do this with a custom form that subclasses ``AuthenticationForm`` and overrides the
+    ``confirm_login_allowed(self, user)`` method.  This method will raise a ``forms.ValidationError``
+    if the given user may not log in.
+
+    For example, to allow all users to log in, regardless of activation status::
+
+    .. code-block:: python
+
+        class AuthenticationFormWithInactiveUsersOkay(AuthenticationForm):
+            def confirm_login_allowed(self, user):
+                pass
+
+    Or to allow only some active users to log in:
+
+    .. code-block:: python
+
+        class PickyAuthenticationForm(AuthenticationForm):
+            def confirm_login_allowed(self, user):
+                if not user.is_active:
+                    raise forms.ValidationError(_("This account is inactive."))
+                if user.username.startswith('b'):
+                    raise forms.ValidationError(_("Sorry, accounts starting with 'b' aren't welcome here."))
+
 .. class:: PasswordChangeForm
 
     A form for allowing a user to change their password.

django/contrib/auth/tests/forms.py

@@ -105 +105 @@
     def test_success(self):
         # The success case
         data = {
+# The user is inactive but allowed to login
+
+>>> data = {
+...     'username': 'jsmith',
+...     'password': 'test123',
+... }
+>>> user.is_active = False
+>>> user.save()
+>>> class AuthenticationFormWithInactiveUsersOkay(AuthenticationForm):
+...     def confirm_login_allowed(self, user):
+...         pass
+>>> form = AuthenticationFormWithInactiveUsersOkay(None, data)
+>>> form.is_valid()
+True
+
+>>> user.is_active = True
+>>> user.save()
+
             'username': 'testclient',
             'password': 'password',
             }

django/contrib/auth/forms.py

@@ -85 +85 @@
             self.user_cache = authenticate(username=username, password=password)
             if self.user_cache is None:
                 raise forms.ValidationError(_("Please enter a correct username and password. Note that both fields are case-sensitive."))
-            elif not self.user_cache.is_active:
-                raise forms.ValidationError(_("This account is inactive."))
+            else:
+                self.confirm_login_allowed(self.user_cache)
         self.check_for_test_cookie()
         return self.cleaned_data
 
@@ -96 +96 @@
                 _("Your Web browser doesn't appear to have cookies enabled. "
                   "Cookies are required for logging in."))
 
+    def confirm_login_allowed(self, user):
+        """
+        Controls whether the given ``auth.User`` object may log in. This is a policy setting,
+        independent of end-user authentication. This default behavior is to allow login by
+        active users, and reject login by inactive users.
+
+        If the given user cannot log in, this method should raise a ``forms.ValidationError``.
+
+        If the given user may log in, this method should return None.
+        """
+        if not user.is_active:
+            raise forms.ValidationError(_("This account is inactive."))
+
     def get_user_id(self):
         if self.user_cache:
             return self.user_cache.id