id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
28021	Add active_login_required decorator	Wim Feijen	nobody	"Hi,

Documentation recommends setting a user's is_active flag to False in stead of deleting a user:

https://docs.djangoproject.com/en/1.10/ref/contrib/auth/#django.contrib.auth.models.User.is_active
""Boolean. Designates whether this user account should be considered active. We recommend that you set this flag to False instead of deleting accounts; that way, if your applications have any foreign keys to users, the foreign keys won’t break.""

However, the recommended login_required decorator does not check whether is_active is True or False, meaning inactive users may still access that view. 

To maintain backwards compatibility, it was decided not to change the behaviour of login_required, see:
https://code.djangoproject.com/ticket/13125
""is_active is a hook for custom auth sources and custom auth logic; the built-in stuff doesn't check it. Yes it's a bit counter-intuitive, but changing it is going to break a number of expectations in users' code, so it's going to need to stay as is.""

As a solution, I'd like to add an active_login_required decorator, which does check for is_active = True. That way we maintain backwards compatibility and in addition we can have a decorator that behaves intuitively."	New feature	closed	contrib.auth	1.10	Normal	wontfix			Unreviewed	0	0	0	0	0	0