#2656 closed defect (invalid)
After creating a new user with create_user, calling login is failed
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Core (Other) | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I see that login() should be called after authenticate(), but because I created a new user using create_user(), so I think I don't need invoke authenticate() at all. Need I *MUST* call authenticate(), after I create_user() a new user, in order to login() the new user?
Change History (6)
comment:1 by , 18 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 18 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
I know that. But what I mean is since I can create a user successfully, so it's implied that the user is a valid user, and should not need to authenticate again, just call login() is enought. So I think the create_user should automaticly authenticate the new user.
comment:3 by , 18 years ago
| Resolution: | → invalid |
|---|---|
| Status: | reopened → closed |
I don't think that was the question -- if I'm understanding correctly, he's asking what the proper step is to log a user in automatically after creating the user's account. In which case he probably does want to call login instead of authenticate -- authenticate does not log the user in, it simply returns the object corresponding to the user's account if the supplied credentials are correct.
Regardless, this is an issue to be explored on the mailing list, not here in a ticket, so I'm closing it.
comment:4 by , 18 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
This is a definately a bug, this also intereferes with functionality that allows one user to login as another, for instance for administrative access or automaticaly loged role users, etc, like 'su' in the shell, the login function should able to work with out without the authenticate function, leave that up to the application developer.
comment:5 by , 18 years ago
| Resolution: | → invalid |
|---|---|
| Status: | reopened → closed |
I think you're misunderstanding the names of the functions. login does not display a login form, or ask for credentials. authenticate does. The purpose of the login function is to persist the user's identifying information in their session so they won't have to authenticate again and again and again. Therefore, any sort of "switch user" functionality must rely on authenticate.
Closing again.
comment:6 by , 18 years ago
And just to clarify in an utterly pedantic way, based on double-checking the code:
logintakes two arguments: theHttpRequestand aUserobject, and updates the session corresponding to the request with info about the user. That's it.authenticatetakes a set of credentials (using the default built-in auth backend, this is a username/password pair) and sees if they correspond to a validUserobject, then returns thatUserobject.
In other words, any su-style functionality has to be built around authenticate, and that's not a bug -- authenticate is, well, how you authenticate people. If you want to do a password-less-style switch the way su works on Unix when you're root, you can supply a custom auth backend which supports that.
Yes, you MUST call authenticate, as authenticate actually logs in the user and sets up the login cookie, etc. While creating a user does not log them in (and should NOT as its a model operation only). These are two VERY different operations.