#25232: Add a setting to make the ModelBackend reject inactive users
------------------------------+--------------------------------------
Reporter: OleLaursen | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: 1.8
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by aaugustin):
* status: closed => new
* resolution: wontfix =>
Comment:
The manual workaround is to change a user's password, assuming
`SessionAuthenticationMiddleware` is installed... That said I'm not
comfortable with suggesting workarounds. The current situation could
easily be described as a security issue.
I don't think adding a setting is a solution because using the default
value will leave sites vulnerable. I think we should fix the bug, document
the backwards-incompatibility and provide a way to restore the previous
behavior.
I'm going to reopen the bug in the hope to gather more feedback. If no one
thinks fixing is a good idea, we can close it again.
--
Ticket URL: <https://code.djangoproject.com/ticket/25232#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/068.b01e6b97540919081b5dd705f1f49355%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
