Opened 14 years ago
Closed 12 years ago
#15366 closed New feature (duplicate)
AuthenticationForm should optionally permit inactive user login
Reported by: | Owned by: | hjeffrey | |
---|---|---|---|
Component: | contrib.auth | Version: | 1.3-beta |
Severity: | Normal | Keywords: | inactive |
Cc: | hjeffrey | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | yes |
Needs tests: | yes | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
ModelBackend now allows login with inactive user (it has supports_inactive_user property).
But AuthenticationForm never allows login of such user.
I guess it should be configurable because it is designed as base form for all authetication forms.
Attachments (2)
Change History (10)
comment:1 by , 14 years ago
milestone: | 1.3 |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 14 years ago
Cc: | added |
---|---|
Owner: | changed from | to
Status: | new → assigned |
by , 14 years ago
Attachment: | 15366.diff added |
---|
comment:3 by , 14 years ago
Has patch: | set |
---|
comment:4 by , 14 years ago
Triage Stage: | Accepted → Design decision needed |
---|
comment:5 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → New feature |
comment:7 by , 13 years ago
Easy pickings: | unset |
---|---|
Needs documentation: | set |
Needs tests: | set |
Patch needs improvement: | set |
Triage Stage: | Design decision needed → Accepted |
UI/UX: | unset |
We must consider:
- backwards compatibility: suddenly allowing inactive users to log in is absolutely unsafe;
- the docs for User.is_active: indeed, it doesn't preclude login of inactive users;
- the release notes and docs for supports_inactive_user: they say that
supports_inactive_user
is primarily related to permissions.
Currently, the best solution is to subclass AuthenticationForm
and override clean
entirely. I'm attaching a patch that makes it easier to support inactive users in a subclass. This would need a little bit more investigation (where is AuthenticationForm
used? what do the docs say?), possibly a more complete patch, then tests and docs.
by , 13 years ago
Attachment: | 15366-alternative.diff added |
---|
comment:8 by , 12 years ago
Resolution: | → duplicate |
---|---|
Status: | assigned → closed |
For me, #12103 is actually a duplicate with a much more elaborate patch (including tests and docs).
I don't know it this is the best way of handling the problem, but it seemed the simplest and most straight forward solution that would work generically.
There is possibly the issue that could arise were there are several backends for which the user has inactive accounts, some of which allow inactive users to log in while others do not. In this scenario the user would be rejected if the first backend that had credentials for him didn't allow inactive users to log in ever if others in the list did or even if he had an active account further down the list of backends.
Is inactive user login going to be a project wide setting for all backends or be handled on a backend by backend basis? If it's project wide the approach should work alright, but it still ignore active accounts further down in the list. If it's backend by backend what would be the appropriate authentication handling under the scenario presented?