Opened 7 years ago

Closed 7 years ago

#16996 closed Bug (duplicate)

login_required decorator should check user.is_active

Reported by: Preston Holmes Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


This decorator only checks that user.is_authenticated

changing the decorator to also check user.is_active would be somewhat backwards incompatible, but would in general be what people would expect of the decorator.

Instead of the meaning being "the decorator ensures that the user needs to be logged in, or requires that they be an active user at their next login"

instead would be:

"decorator ensures that the user is logged in and active"

(those aren't proposed docs, just semantic meaning repr)

Basically, if a user is already logged in, and they have a long lived auth cookie, if you mark that user as inactive, they will continue to be able to access decorated views until they next need to login, as is_active is only checked in the login form.

Change History (1)

comment:1 Changed 7 years ago by Preston Holmes

Resolution: duplicate
Status: newclosed

dupe #13125

Note: See TracTickets for help on using tickets.
Back to Top