Inactive users have less permissions then anonymous users with custom backend
|Reported by:||Harro||Owned by:||nobody|
|Cc:||hvdklauw@…, jgelens@…||Triage Stage:||Accepted|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
With the closing of Ticket #12557 a custom backend could specify anonymous user permissions.
However now I have a system where an anonymous user has some permissions and a logged in inactive user (User.is_active == False) has no permissions at all.
I suggest the checks for is_active and is_superuser get removed as a check from the User class itself and instead get moved to the default authentication backend.
That way the default way keeps working the way it currently does, but it will allow developers to use those two properties as they see fit when they implement a custom backend.