Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#2656 closed defect (invalid)

After creating a new user with create_user, calling login is failed

Reported by: limodou@… Owned by: Adrian Holovaty
Component: Core (Other) Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


I see that login() should be called after authenticate(), but because I created a new user using create_user(), so I think I don't need invoke authenticate() at all. Need I *MUST* call authenticate(), after I create_user() a new user, in order to login() the new user?

Change History (6)

comment:1 Changed 12 years ago by anonymous

Resolution: invalid
Status: newclosed

Yes, you MUST call authenticate, as authenticate actually logs in the user and sets up the login cookie, etc. While creating a user does not log them in (and should NOT as its a model operation only). These are two VERY different operations.

comment:2 Changed 12 years ago by limodou@…

Resolution: invalid
Status: closedreopened

I know that. But what I mean is since I can create a user successfully, so it's implied that the user is a valid user, and should not need to authenticate again, just call login() is enought. So I think the create_user should automaticly authenticate the new user.

comment:3 Changed 12 years ago by James Bennett

Resolution: invalid
Status: reopenedclosed

I don't think that was the question -- if I'm understanding correctly, he's asking what the proper step is to log a user in automatically after creating the user's account. In which case he probably does want to call login instead of authenticate -- authenticate does not log the user in, it simply returns the object corresponding to the user's account if the supplied credentials are correct.

Regardless, this is an issue to be explored on the mailing list, not here in a ticket, so I'm closing it.

comment:4 Changed 12 years ago by dmytri kleiner <dmytrik@…>

Resolution: invalid
Status: closedreopened

This is a definately a bug, this also intereferes with functionality that allows one user to login as another, for instance for administrative access or automaticaly loged role users, etc, like 'su' in the shell, the login function should able to work with out without the authenticate function, leave that up to the application developer.

comment:5 Changed 12 years ago by James Bennett

Resolution: invalid
Status: reopenedclosed

I think you're misunderstanding the names of the functions. login does not display a login form, or ask for credentials. authenticate does. The purpose of the login function is to persist the user's identifying information in their session so they won't have to authenticate again and again and again. Therefore, any sort of "switch user" functionality must rely on authenticate.

Closing again.

comment:6 Changed 12 years ago by James Bennett

And just to clarify in an utterly pedantic way, based on double-checking the code:

  • login takes two arguments: the HttpRequest and a User object, and updates the session corresponding to the request with info about the user. That's it.
  • authenticate takes a set of credentials (using the default built-in auth backend, this is a username/password pair) and sees if they correspond to a valid User object, then returns that User object.

In other words, any su-style functionality has to be built around authenticate, and that's not a bug -- authenticate is, well, how you authenticate people. If you want to do a password-less-style switch the way su works on Unix when you're root, you can supply a custom auth backend which supports that.

Note: See TracTickets for help on using tickets.
Back to Top