id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
24987	Remove test client login()'s hardcoded rejection of inactive users	Jon Dufresne	nobody	"According to the documentation on the `User` attribute `is_active`:

https://docs.djangoproject.com/en/dev/ref/contrib/auth/

> This doesn’t necessarily control whether or not the user can log in. Authentication backends aren’t required to check for the is_active flag, and the default backends do not. If you want to reject a login based on is_active being False, it’s up to you to check that in your own login view or a custom authentication backend. However, the AuthenticationForm used by the login() view (which is the default) does perform this check, as do the permission-checking methods such as has_perm() and the authentication in the Django admin. All of those functions/methods will return False for inactive users.

My auth system takes advantage of this by allowing inactive user to login.

However, if I try to login an inactive user in a test, the login fails. This happens due to the code in Client.login() in client.py:

{{{
        user = authenticate(**credentials)
        if (user and user.is_active and
                apps.is_installed('django.contrib.sessions')):
            ...
            return True
        else:
            return False
}}}

That is, after a successful authentication in a test, inactive users are rejected. This seems to contradict the documentation.

How would you feel about dropping the `user.is_active` check in `Client.login()`?"	Bug	closed	Testing framework	dev	Normal	fixed		sasha@…	Ready for checkin	1	0	0	0	0	0