Opened 13 years ago
Closed 13 years ago
#16797 closed New feature (wontfix)
active_login_required
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | contrib.auth | Version: | 1.3 |
Severity: | Normal | Keywords: | |
Cc: | Taavi Taijala | Triage Stage: | Design decision needed |
Has patch: | yes | Needs documentation: | yes |
Needs tests: | yes | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When a user is inactived in the admin interface, he should not be able to access login_required views.
The user should be authenticated and active in order to see these views. The additional decorator active_login_required solves this.
I am sorry for the duplicating of code, but it looked much better this way, than actually calling login_required with an additional parameter.
Attachments (1)
Change History (8)
by , 13 years ago
Attachment: | active_login_required_path.diff added |
---|
follow-up: 2 comment:1 by , 13 years ago
Has patch: | set |
---|---|
Needs tests: | set |
comment:2 by , 13 years ago
Cc: | added |
---|
Replying to anonymous:
Correct me if I'm wrong here, but doesn't inactivating a user mean that they can no longer login, and therefore not access any views decorated with login_required?
comment:3 by , 13 years ago
The problem arises when the user is already logged in. In that case the user can use the site for as long as his session is valid. This is surprising as one might expect that just removing is_active is enough to get rid of a problematic user.
comment:4 by , 13 years ago
That is surprising. I would think in that case the best option would be to logout a user when is_active is removed; however, that may not be such an easy solution. Does anyone know if there's any way to do this?
comment:6 by , 13 years ago
Needs documentation: | set |
---|---|
Triage Stage: | Unreviewed → Design decision needed |
This was discussed on the mailing list (thread "plea for re-opening ticket 13125 marked as won't fix"), there is just a -0 from a core developer.
This would require some serious documentation, as the existence of two similar decorators could cause confusion.
comment:7 by , 13 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Thanks for the suggestion, Wim, but I think this is something that shouldn't go into Django. Every site is going to have their own slightly different auth needs, and that's the purpose of the generic user_passes_test
meta-decorator. Including each and every slightly different permutation of auth logic in Django is a path that leads towards spaghetti code. Further, this is trivial to accomplish in your own code, so there isn't a much impetus to include it in Django.
Thanks again!
a patch for ticket 16797: adding a stronger login_required decorator