Opened 8 years ago

Last modified 8 years ago

#26957 closed Cleanup/optimization

Inconsistency between doc and code: authenticate() when user.is_active == False — at Version 1

Reported by: Shen Li Owned by: nobody
Component: contrib.auth Version: 1.10
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description (last modified by Shen Li)

In the code:
https://github.com/django/django/blob/stable/1.10.x/django/contrib/auth/backends.py#L12-L32

    def authenticate(self, username=None, password=None, **kwargs):
        UserModel = get_user_model()
        if username is None:
            username = kwargs.get(UserModel.USERNAME_FIELD)
        try:
            user = UserModel._default_manager.get_by_natural_key(username)
        except UserModel.DoesNotExist:
            # Run the default password hasher once to reduce the timing
            # difference between an existing and a non-existing user (#20760).
            UserModel().set_password(password)
        else:
            if user.check_password(password) and self.user_can_authenticate(user):
                return user

    def user_can_authenticate(self, user):
        """
        Reject users with is_active=False. Custom user models that don't have
        that attribute are allowed.
        """
        is_active = getattr(user, 'is_active', None)
        return is_active or is_active is None

authenticate() returns None when user.is_active == False.

However, the documentation suggests that when user.is_active == False, the authenticate() method returns the user normally.

https://docs.djangoproject.com/en/1.10/topics/auth/default/#auth-web-requests

from django.contrib.auth import authenticate, login

def my_view(request):
    username = request.POST['username']
    password = request.POST['password']
    user = authenticate(username=username, password=password)
    if user is not None:
        if user.is_active:
            login(request, user)
            # Redirect to a success page.
        else:
            # Return a 'disabled account' error message
            ...
    else:
        # Return an 'invalid login' error message.
        ...

Change History (1)

comment:1 by Shen Li, 8 years ago

Description: modified (diff)
Version: 1.91.10
Note: See TracTickets for help on using tickets.
Back to Top