#25232: Deactivating users with is_active
-------------------------------+--------------------
Reporter: OleLaursen | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.auth | Version: 1.8
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
I just got a bug report that inactive users could still access a site I'm
maintaining. It turns out that is_active doesn't really deactivate people,
it just prevents them from logging in again.
This was discussed in 2008:
https://groups.google.com/forum/#!topic/django-developers/P0b0g0sr-b8
I think the short version is that this happened by accident (login view
checks is_active, so does permissions, but auth backend doesn't) but
discovered late enough that Malcolm Tredinnick didn't want to break
backwards compatibility.
This leaves no proper built-in way to deactivate users, a useful feature.
Hence, I humbly suggest that we add a setting ala
PREVENT_INACTIVE_USERS_FROM_BEING_AUTHENTICATED? It would default to None,
meaning leave the current semi-broken behaviour, but you could set it to
True to have the ModelBackend do a check on is_active in get_user:
https://github.com/django/django/blob/master/django/contrib/auth/backends.py#L90
Perhaps it could also be set to False to prevent the login view and
permissions from checking is_active, in case anyone finds that useful.
If people like the setting, it could perhaps in the future default to
True.
--
Ticket URL: <https://code.djangoproject.com/ticket/25232>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/053.9b793294ca231053181780b965bad7a2%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
