Opened 15 years ago

Closed 15 years ago

#12113 closed (fixed)

contrib.auth documentation is misleading re: whether User.is_active matters for login

Reported by: Ethan Jucovy Owned by: nobody
Component: Documentation Version: 1.1
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The documentation at source:/django//trunk/docs/topics/auth.txt says

    .. attribute:: models.User.is_active

        Boolean. Designates whether this user account should be considered
	active. Set this flag to ``False`` instead of deleting accounts.

	This doesn't control whether or not the user can log in. Nothing in the
        authentication path checks the ``is_active`` flag, so if you want to
        reject a login based on ``is_active`` being ``False``, it is up to you
	to check that in your own login view. However, permission checking
        using the methods like :meth:`~models.User.has_perm` does check this
	flag and will always return ``False`` for inactive users.

"This doesn't control whether or not the user can log in."

This is technically true, but misleading, because the default AuthenticationForm in django.contrib.auth *does* reject inactive users. This behavior is undocumented.

Attachments (3)

document_inactive_user_behavior.diff (886 bytes ) - added by Ethan Jucovy 15 years ago.
12113.diff (1.4 KB ) - added by Tim Graham 15 years ago.
minor edits to existing patch
12113.3.diff (1.8 KB ) - added by Ivan Sagalaev 15 years ago.
Another edit, without vague "authentication path"

Download all attachments as: .zip

Change History (7)

by Ethan Jucovy, 15 years ago

comment:1 by Ethan Jucovy, 15 years ago

Has patch: set

I took a stab at a documentation patch. I feel like this could be clearer, but I'm not sure how.

by Tim Graham, 15 years ago

Attachment: 12113.diff added

minor edits to existing patch

comment:2 by Tim Graham, 15 years ago

Triage Stage: UnreviewedReady for checkin

comment:3 by Ivan Sagalaev, 15 years ago

I would also ditch "Nothing in the authentication path checks the is_active" because "authentication path" is not a well-defined thing. I think what this line tries to say is that authentication *backends* might not check for is_active. And the user should check it manually.

by Ivan Sagalaev, 15 years ago

Attachment: 12113.3.diff added

Another edit, without vague "authentication path"

comment:4 by Adrian Holovaty, 15 years ago

Resolution: fixed
Status: newclosed

(In [12193]) Fixed #12113 -- Clarified is_active documentation. Thanks, ejucovy and isagalaev

Note: See TracTickets for help on using tickets.
Back to Top