Code

Opened 4 years ago

Closed 4 years ago

#12113 closed (fixed)

contrib.auth documentation is misleading re: whether User.is_active matters for login

Reported by: ejucovy Owned by: nobody
Component: Documentation Version: 1.1
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The documentation at source:/django//trunk/docs/topics/auth.txt says

    .. attribute:: models.User.is_active

        Boolean. Designates whether this user account should be considered
	active. Set this flag to ``False`` instead of deleting accounts.

	This doesn't control whether or not the user can log in. Nothing in the
        authentication path checks the ``is_active`` flag, so if you want to
        reject a login based on ``is_active`` being ``False``, it is up to you
	to check that in your own login view. However, permission checking
        using the methods like :meth:`~models.User.has_perm` does check this
	flag and will always return ``False`` for inactive users.

"This doesn't control whether or not the user can log in."

This is technically true, but misleading, because the default AuthenticationForm in django.contrib.auth *does* reject inactive users. This behavior is undocumented.

Attachments (3)

document_inactive_user_behavior.diff (886 bytes) - added by ejucovy 4 years ago.
12113.diff (1.4 KB) - added by timo 4 years ago.
minor edits to existing patch
12113.3.diff (1.8 KB) - added by isagalaev 4 years ago.
Another edit, without vague "authentication path"

Download all attachments as: .zip

Change History (7)

Changed 4 years ago by ejucovy

comment:1 Changed 4 years ago by ejucovy

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

I took a stab at a documentation patch. I feel like this could be clearer, but I'm not sure how.

Changed 4 years ago by timo

minor edits to existing patch

comment:2 Changed 4 years ago by timo

  • Triage Stage changed from Unreviewed to Ready for checkin

comment:3 Changed 4 years ago by isagalaev

I would also ditch "Nothing in the authentication path checks the is_active" because "authentication path" is not a well-defined thing. I think what this line tries to say is that authentication *backends* might not check for is_active. And the user should check it manually.

Changed 4 years ago by isagalaev

Another edit, without vague "authentication path"

comment:4 Changed 4 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [12193]) Fixed #12113 -- Clarified is_active documentation. Thanks, ejucovy and isagalaev

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.