Opened 4 years ago

Closed 4 years ago

#16797 closed New feature (wontfix)


Reported by: wim@… Owned by: nobody
Component: contrib.auth Version: 1.3
Severity: Normal Keywords:
Cc: taavi223 Triage Stage: Design decision needed
Has patch: yes Needs documentation: yes
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no


When a user is inactived in the admin interface, he should not be able to access login_required views.

The user should be authenticated and active in order to see these views. The additional decorator active_login_required solves this.

I am sorry for the duplicating of code, but it looked much better this way, than actually calling login_required with an additional parameter.

Attachments (1)

active_login_required_path.diff (1.7 KB) - added by wim@… 4 years ago.
a patch for ticket 16797: adding a stronger login_required decorator

Download all attachments as: .zip

Change History (8)

Changed 4 years ago by wim@…

a patch for ticket 16797: adding a stronger login_required decorator

comment:1 follow-up: Changed 4 years ago by anonymous

  • Has patch set
  • Needs documentation unset
  • Needs tests set
  • Patch needs improvement unset

comment:2 in reply to: ↑ 1 Changed 4 years ago by taavi223

  • Cc taavi223 added

Correct me if I'm wrong here, but doesn't inactivating a user mean that they can no longer login, and therefore not access any views decorated with login_required?

Last edited 4 years ago by taavi223 (previous) (diff)

comment:3 Changed 4 years ago by anonymous

The problem arises when the user is already logged in. In that case the user can use the site for as long as his session is valid. This is surprising as one might expect that just removing is_active is enough to get rid of a problematic user.

comment:4 Changed 4 years ago by taavi223

That is surprising. I would think in that case the best option would be to logout a user when is_active is removed; however, that may not be such an easy solution. Does anyone know if there's any way to do this?

comment:5 Changed 4 years ago by anonymous

Hi taavi,

As far as I know it is not possible. See ticket #13125 .

comment:6 Changed 4 years ago by aaugustin

  • Needs documentation set
  • Triage Stage changed from Unreviewed to Design decision needed

This was discussed on the mailing list (thread "plea for re-opening ticket 13125 marked as won't fix"), there is just a -0 from a core developer.

This would require some serious documentation, as the existence of two similar decorators could cause confusion.

comment:7 Changed 4 years ago by jacob

  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for the suggestion, Wim, but I think this is something that shouldn't go into Django. Every site is going to have their own slightly different auth needs, and that's the purpose of the generic user_passes_test meta-decorator. Including each and every slightly different permutation of auth logic in Django is a path that leads towards spaghetti code. Further, this is trivial to accomplish in your own code, so there isn't a much impetus to include it in Django.

Thanks again!

Note: See TracTickets for help on using tickets.
Back to Top