Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#2656 closed defect (invalid)

After creating a new user with create_user, calling login is failed

Reported by: limodou@… Owned by: adrian
Component: Core (Other) Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I see that login() should be called after authenticate(), but because I created a new user using create_user(), so I think I don't need invoke authenticate() at all. Need I *MUST* call authenticate(), after I create_user() a new user, in order to login() the new user?

Change History (6)

comment:1 Changed 9 years ago by anonymous

  • Resolution set to invalid
  • Status changed from new to closed

Yes, you MUST call authenticate, as authenticate actually logs in the user and sets up the login cookie, etc. While creating a user does not log them in (and should NOT as its a model operation only). These are two VERY different operations.

comment:2 Changed 9 years ago by limodou@…

  • Resolution invalid deleted
  • Status changed from closed to reopened

I know that. But what I mean is since I can create a user successfully, so it's implied that the user is a valid user, and should not need to authenticate again, just call login() is enought. So I think the create_user should automaticly authenticate the new user.

comment:3 Changed 9 years ago by ubernostrum

  • Resolution set to invalid
  • Status changed from reopened to closed

I don't think that was the question -- if I'm understanding correctly, he's asking what the proper step is to log a user in automatically after creating the user's account. In which case he probably does want to call login instead of authenticate -- authenticate does not log the user in, it simply returns the object corresponding to the user's account if the supplied credentials are correct.

Regardless, this is an issue to be explored on the mailing list, not here in a ticket, so I'm closing it.

comment:4 Changed 9 years ago by dmytri kleiner <dmytrik@…>

  • Resolution invalid deleted
  • Status changed from closed to reopened

This is a definately a bug, this also intereferes with functionality that allows one user to login as another, for instance for administrative access or automaticaly loged role users, etc, like 'su' in the shell, the login function should able to work with out without the authenticate function, leave that up to the application developer.

comment:5 Changed 9 years ago by ubernostrum

  • Resolution set to invalid
  • Status changed from reopened to closed

I think you're misunderstanding the names of the functions. login does not display a login form, or ask for credentials. authenticate does. The purpose of the login function is to persist the user's identifying information in their session so they won't have to authenticate again and again and again. Therefore, any sort of "switch user" functionality must rely on authenticate.

Closing again.

comment:6 Changed 9 years ago by ubernostrum

And just to clarify in an utterly pedantic way, based on double-checking the code:

  • login takes two arguments: the HttpRequest and a User object, and updates the session corresponding to the request with info about the user. That's it.
  • authenticate takes a set of credentials (using the default built-in auth backend, this is a username/password pair) and sees if they correspond to a valid User object, then returns that User object.

In other words, any su-style functionality has to be built around authenticate, and that's not a bug -- authenticate is, well, how you authenticate people. If you want to do a password-less-style switch the way su works on Unix when you're root, you can supply a custom auth backend which supports that.

Note: See TracTickets for help on using tickets.
Back to Top