Opened 5 years ago

Closed 5 years ago

#16996 closed Bug (duplicate)

login_required decorator should check user.is_active

Reported by: ptone Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


This decorator only checks that user.is_authenticated

changing the decorator to also check user.is_active would be somewhat backwards incompatible, but would in general be what people would expect of the decorator.

Instead of the meaning being "the decorator ensures that the user needs to be logged in, or requires that they be an active user at their next login"

instead would be:

"decorator ensures that the user is logged in and active"

(those aren't proposed docs, just semantic meaning repr)

Basically, if a user is already logged in, and they have a long lived auth cookie, if you mark that user as inactive, they will continue to be able to access decorated views until they next need to login, as is_active is only checked in the login form.

Change History (1)

comment:1 Changed 5 years ago by ptone

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

dupe #13125

Note: See TracTickets for help on using tickets.
Back to Top