id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
25232	Make the ModelBackend/RemoteUser authentication backends reject inactive users	Ole Laursen	Sasha Gaevsky	"I just got a bug report that inactive users could still access a site I'm maintaining. It turns out that is_active doesn't really deactivate people, it just prevents them from logging in again.

This was discussed in 2008:

https://groups.google.com/forum/#!topic/django-developers/P0b0g0sr-b8

I think the short version is that this happened by accident (login view checks is_active, so does permissions, but auth backend doesn't) but discovered late enough that Malcolm Tredinnick didn't want to break backwards compatibility.

This leaves no proper built-in way to deactivate users, a useful feature. Hence, I humbly suggest that we add a setting ala PREVENT_INACTIVE_USERS_FROM_BEING_AUTHENTICATED? It would default to None, meaning leave the current semi-broken behaviour, but you could set it to True to have the ModelBackend do a check on is_active in get_user:

https://github.com/django/django/blob/master/django/contrib/auth/backends.py#L90

Perhaps it could also be set to False to prevent the login view and permissions from checking is_active, in case anyone finds that useful.

If people like the setting, it could perhaps in the future default to True."	New feature	closed	contrib.auth	dev	Normal	fixed		lau@…	Accepted	1	0	0	0	0	0