contrib.auth documentation is misleading re: whether User.is_active matters for login
|Reported by:||Ethan Jucovy||Owned by:||nobody|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The documentation at source:/django//trunk/docs/topics/auth.txt says
.. attribute:: models.User.is_active Boolean. Designates whether this user account should be considered active. Set this flag to ``False`` instead of deleting accounts. This doesn't control whether or not the user can log in. Nothing in the authentication path checks the ``is_active`` flag, so if you want to reject a login based on ``is_active`` being ``False``, it is up to you to check that in your own login view. However, permission checking using the methods like :meth:`~models.User.has_perm` does check this flag and will always return ``False`` for inactive users.
"This doesn't control whether or not the user can log in."
This is technically true, but misleading, because the default
AuthenticationForm in django.contrib.auth *does* reject inactive users. This behavior is undocumented.