> Description:
> "The login_required decorator is not checking User.is_active, as
> staff_member_required does. If an authenticated user is deactivated
> (via setting is_active to False), the user is still able to browse
> login_required-protected views."
> For probably most people, the expected and (most likely) wanted
> behavior would be not to let inactive users have access to
> login_required files.
I actually had my problems with this some time ago, too. Meaning I
wanted to disable users via setting is_active=False. Back then I just
though this was stupid.
But a while later I discovered a not so uncommon usecase for the
login_required behavior which may be the reason this still is in design
decision state:
Many websites force their users to activate using email verification.
Many of those also login their users after registration (as an
is_active=False-user). This way the user gets logged in successfuly but
may never login again before going through email verification.
I myself have code which relies on this behavior. So I think just
changing it may break some websites. Anyway I still think this is not
what people expect, so either this needs to be documented ("WARNING:
...") or changed in a backwards compatible way (e.g. add a parameter to
login_required).
David
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
