On Thu, Apr 15, 2010 at 9:50 AM, Harro <hvdkl...@gmail.com> wrote: > I think the problem isn't the login_required, but it simply does what > it says it does: Check if the user is logged in. > > For me a user with is_active set to false shouldn't be allowed to > login, they either just created an account and still need to verify it > or they indicated that they wanted their account "removed", in which > case it's marked inactive so it doesn't cascade delete all their > related items too. >
Or the third case, when a staff user de-activates the user for some reason. In this scenario, the user is still logged in, and simply using @login_required will continue to allow the user to access resources that are meant to be restricted. To correct this behavior, we've subclassed the Authentication middleware and the LazyUser object it sets on the request. Our LazyUser ensures the user is active, otherwise it creates an AnonymousUser instance. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
