login_required decorator should check user.is_active
|Reported by:||Preston Holmes||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
This decorator only checks that user.is_authenticated
changing the decorator to also check user.is_active would be somewhat backwards incompatible, but would in general be what people would expect of the decorator.
Instead of the meaning being "the decorator ensures that the user needs to be logged in, or requires that they be an active user at their next login"
instead would be:
"decorator ensures that the user is logged in and active"
(those aren't proposed docs, just semantic meaning repr)
Basically, if a user is already logged in, and they have a long lived auth cookie, if you mark that user as inactive, they will continue to be able to access decorated views until they next need to login, as is_active is only checked in the login form.