Ticket #2550: patch_corrected.diff

docs/topics/auth.txt

@@ -1496 +1496 @@
 
 The order of :setting:`AUTHENTICATION_BACKENDS` matters, so if the same
 username and password is valid in multiple backends, Django will stop
-processing at the first positive match.
+processing at the first positive match.Also if a backend indicates that 
+a user is not allowed by raising a :class:`~django.core.exceptions.PermissionDenied` Exception,django 
+will stop there and will not check the backends that follow. 
 
 .. note::
 

django/contrib/auth/__init__.py

@@ -1 +1 @@
 import datetime
 from warnings import warn
-from django.core.exceptions import ImproperlyConfigured
+from django.core.exceptions import ImproperlyConfigured,PermissionDenied
 from django.utils.importlib import import_module
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 
@@ -56 +56 @@
         except TypeError:
             # This backend doesn't accept these credentials as arguments. Try the next one.
             continue
+        except PermissionDenied: 
+            # This backend says to stop in our tracks - this user should not be allowed in at all. 
+            return None 
         if user is None:
             continue
         # Annotate the user object with the path of the backend.

django/contrib/auth/tests/auth_backends.py

@@ -3 +3 @@
 from django.conf import settings
 from django.contrib.auth.models import User, Group, Permission, AnonymousUser
 from django.contrib.contenttypes.models import ContentType
-from django.core.exceptions import ImproperlyConfigured
+from django.core.exceptions import ImproperlyConfigured,PermissionDenied
+from django.contrib.auth import authenticate
 from django.test import TestCase
 
 
@@ -354 +355 @@
         self.assertEqual(self.user1.has_module_perms("app1"), False)
         self.assertEqual(self.user1.has_module_perms("app2"), False)
 
+class PermissionDeniedBackend(object):
+    """
+    always raises PermissionDenied
+    """
+    supports_object_permissions = False
+    supports_anonymous_user = False
+
+    def authenticate(self,username=None,password=None):
+        raise PermissionDenied
+
+class PermissionDeniedBackendTest(TestCase):
+    """
+        Tests that other backends are not checked once a backend raises PermissionDenied
+    """
+    backend = 'django.contrib.auth.tests.auth_backends.PermissionDeniedBackend'
+
+    def setUp(self):
+        self.curr_auth = settings.AUTHENTICATION_BACKENDS
+        self.user1 = User.objects.create_user('test', 'test@example.com', 'test')
+        self.user1.save()
+
+    def tearDown(self):
+        settings.AUTHENTICATION_BACKENDS = self.curr_auth
+
+    def test_permission_denied(self):
+        "user is not authenticated after a backend raises permission denied #2550"
+        settings.AUTHENTICATION_BACKENDS = (self.backend,)+tuple(self.curr_auth) 
+        self.assertEqual(authenticate(username='test', password='test'), None)
+
+    def test_authenticates(self):
+        settings.AUTHENTICATION_BACKENDS = tuple(self.curr_auth) + (self.backend,)
+        self.assertEqual(authenticate(username='test', password='test'), self.user1)

django/contrib/auth/tests/__init__.py

@@ -1 +1 @@
 from django.contrib.auth.tests.auth_backends import (BackendTest,
     RowlevelBackendTest, AnonymousUserBackendTest, NoAnonymousUserBackendTest,
-    NoBackendsTest, InActiveUserBackendTest, NoInActiveUserBackendTest)
+    NoBackendsTest, InActiveUserBackendTest, NoInActiveUserBackendTest,PermissionDeniedBackendTest)
 from django.contrib.auth.tests.basic import BasicTestCase
 from django.contrib.auth.tests.decorators import LoginRequiredTestCase
 from django.contrib.auth.tests.forms import (UserCreationFormTest,