Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#25232 closed New feature (fixed)

Make the ModelBackend/RemoteUser authentication backends reject inactive users

Reported by: Ole Laursen Owned by: Sasha Gaevsky
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: lau@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I just got a bug report that inactive users could still access a site I'm maintaining. It turns out that is_active doesn't really deactivate people, it just prevents them from logging in again.

This was discussed in 2008:

https://groups.google.com/forum/#!topic/django-developers/P0b0g0sr-b8

I think the short version is that this happened by accident (login view checks is_active, so does permissions, but auth backend doesn't) but discovered late enough that Malcolm Tredinnick didn't want to break backwards compatibility.

This leaves no proper built-in way to deactivate users, a useful feature. Hence, I humbly suggest that we add a setting ala PREVENT_INACTIVE_USERS_FROM_BEING_AUTHENTICATED? It would default to None, meaning leave the current semi-broken behaviour, but you could set it to True to have the ModelBackend do a check on is_active in get_user:

https://github.com/django/django/blob/master/django/contrib/auth/backends.py#L90

Perhaps it could also be set to False to prevent the login view and permissions from checking is_active, in case anyone finds that useful.

If people like the setting, it could perhaps in the future default to True.

Attachments (1)

25232.diff (2.4 KB) - added by Tim Graham 4 years ago.

Download all attachments as: .zip

Change History (15)

comment:1 Changed 4 years ago by Tim Graham

It would be better to first write to the DevelopersMailingList to get a consensus on the design issues. New settings are to be avoided if possible.

comment:2 Changed 4 years ago by Tim Graham

Resolution: wontfix
Status: newclosed
Summary: Deactivating users with is_activeAdd a setting to make the ModelBackend reject inactive users
Type: UncategorizedNew feature

It seems to me this could be accomplished without much difficulty by overriding the ModelBackend. Something like (untested):

class RejectInactiveUsersBackend(ModelBackend):
    def get_user(self, user_id):
        user = super(RejectInactiveUsersBackend, self).get_user(user_id)
        if user and not user.is_active:
            return None
        return user

It's probably better to recommend that route instead of adding a setting.

comment:3 Changed 4 years ago by Aymeric Augustin

Resolution: wontfix
Status: closednew

The manual workaround is to change a user's password, assuming SessionAuthenticationMiddleware is installed... That said I'm not comfortable with suggesting workarounds. The current situation could easily be described as a security issue.

I don't think adding a setting is a solution because using the default value will leave sites vulnerable. I think we should fix the bug, document the backwards-incompatibility and provide a way to restore the previous behavior.

I'm going to reopen the bug in the hope to gather more feedback. If no one thinks fixing is a good idea, we can close it again.

comment:4 Changed 4 years ago by Carl Meyer

I agree with Aymeric that it's just a bug if the backend behavior doesn't match the login form behavior. Both are easily overrideable.

comment:5 Changed 4 years ago by Tim Graham

Summary: Add a setting to make the ModelBackend reject inactive usersMake the ModelBackend authentication backend reject inactive users
Version: 1.8master

It might also be possible to fix #24987 and remove the user.is_active check in the test client login() method. A draft patch is attached, but some test failures remain.

For backwards compatibility, should we provide an authentication backend that allows inactive users:

class AllowInactiveUsersModelBackend(ModelBackend):
    allow_inactive_users = True

(incorporating that flag into the patch).

Changed 4 years ago by Tim Graham

Attachment: 25232.diff added

comment:6 Changed 4 years ago by Tim Graham

Triage Stage: UnreviewedAccepted

comment:7 Changed 4 years ago by Sasha Gaevsky

Has patch: set
Owner: changed from nobody to Sasha Gaevsky
Status: newassigned

I've started with the PR

comment:8 Changed 4 years ago by Tim Graham

Patch needs improvement: set

Left comments for improvement.

comment:9 Changed 3 years ago by Tim Graham

Patch needs improvement: unset

comment:10 Changed 3 years ago by Tim Graham

Patch needs improvement: set

I think RemoteUserBackend should have the same behavior as ModelBackend and respect the proposed user_can_authenticate() method.

comment:11 Changed 3 years ago by Tim Graham

Patch needs improvement: unset
Summary: Make the ModelBackend authentication backend reject inactive usersMake the ModelBackend/RemoteUser authentication backends reject inactive users

I updated the PR for the above comment. The second commit there should be good to go but if someone could double check the first that would be great.

comment:12 Changed 3 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In e0a3d937:

Fixed #25232 -- Made ModelBackend/RemoteUserBackend reject inactive users.

comment:13 Changed 3 years ago by Tim Graham <timograham@…>

In e69091b:

Refs #25232 -- Documented AllowAll*Backend in "new features" section of 1.10 release notes.

comment:14 Changed 3 years ago by Tim Graham <timograham@…>

In 738a65a5:

[1.10.x] Refs #25232 -- Documented AllowAll*Backend in "new features" section of 1.10 release notes.

Backport of e69091b34a34697fe7eac38763dd372b305e1ab4 from master

Note: See TracTickets for help on using tickets.
Back to Top