Opened 7 years ago
Last modified 7 years ago
#28021 closed New feature
Add active_login_required decorator — at Initial Version
| Reported by: | Wim Feijen | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.10 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hi,
Documentation recommends setting a user's is_active flag to False in stead of deleting a user:
https://docs.djangoproject.com/en/1.10/ref/contrib/auth/#django.contrib.auth.models.User.is_active
"Boolean. Designates whether this user account should be considered active. We recommend that you set this flag to False instead of deleting accounts; that way, if your applications have any foreign keys to users, the foreign keys won’t break."
However, the recommended login_required decorator does not check whether is_active is True or False, meaning inactive users may still access that view.
To maintain backwards compatibility, it was decided not to change the behaviour of login_required, see:
https://code.djangoproject.com/ticket/13125
"is_active is a hook for custom auth sources and custom auth logic; the built-in stuff doesn't check it. Yes it's a bit counter-intuitive, but changing it is going to break a number of expectations in users' code, so it's going to need to stay as is."
As a solution, I'd like to add an active_login_required decorator, which does check for is_active = True. That way we maintain backwards compatibility and in addition we can have a decorator that behaves intuively.