Opened 14 years ago
Closed 12 years ago
#15366 closed New feature (duplicate)
AuthenticationForm should optionally permit inactive user login
| Reported by: | Owned by: | hjeffrey | |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.3-beta |
| Severity: | Normal | Keywords: | inactive |
| Cc: | hjeffrey | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | yes |
| Needs tests: | yes | Patch needs improvement: | yes |
| Easy pickings: | no | UI/UX: | no |
Description
ModelBackend now allows login with inactive user (it has supports_inactive_user property).
But AuthenticationForm never allows login of such user.
I guess it should be configurable because it is designed as base form for all authetication forms.
Attachments (2)
Change History (10)
comment:1 by , 14 years ago
| milestone: | 1.3 |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 14 years ago
| Cc: | added |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
by , 14 years ago
| Attachment: | 15366.diff added |
|---|
comment:3 by , 14 years ago
| Has patch: | set |
|---|
comment:4 by , 14 years ago
| Triage Stage: | Accepted → Design decision needed |
|---|
comment:5 by , 14 years ago
| Severity: | → Normal |
|---|---|
| Type: | → New feature |
comment:7 by , 13 years ago
| Easy pickings: | unset |
|---|---|
| Needs documentation: | set |
| Needs tests: | set |
| Patch needs improvement: | set |
| Triage Stage: | Design decision needed → Accepted |
| UI/UX: | unset |
We must consider:
- backwards compatibility: suddenly allowing inactive users to log in is absolutely unsafe;
- the docs for User.is_active: indeed, it doesn't preclude login of inactive users;
- the release notes and docs for supports_inactive_user: they say that
supports_inactive_useris primarily related to permissions.
Currently, the best solution is to subclass AuthenticationForm and override clean entirely. I'm attaching a patch that makes it easier to support inactive users in a subclass. This would need a little bit more investigation (where is AuthenticationForm used? what do the docs say?), possibly a more complete patch, then tests and docs.
by , 13 years ago
| Attachment: | 15366-alternative.diff added |
|---|
comment:8 by , 12 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | assigned → closed |
For me, #12103 is actually a duplicate with a much more elaborate patch (including tests and docs).
Note:
See TracTickets
for help on using tickets.
I don't know it this is the best way of handling the problem, but it seemed the simplest and most straight forward solution that would work generically.
There is possibly the issue that could arise were there are several backends for which the user has inactive accounts, some of which allow inactive users to log in while others do not. In this scenario the user would be rejected if the first backend that had credentials for him didn't allow inactive users to log in ever if others in the list did or even if he had an active account further down the list of backends.
Is inactive user login going to be a project wide setting for all backends or be handled on a backend by backend basis? If it's project wide the approach should work alright, but it still ignores active accounts further down in the list. If it's backend by backend what would be the appropriate authentication handling under the scenario presented?