i need to think more about russell's points before responding in full,
but i did want to briefly mention the following:
1. simply shortening the length of sessions doesn't prevent a user
with revoked access from seeing new and potentially sensitive data
created after the user's deactivation. if de
x27;t looked to see what discussion there was around the
> original decision. I'd hope it would make more sense if I did look
> back in the archives.
>
> I'm no expert on this one. Just thought I'd point out the fact that
> the docs do discuss the subject of that bug ti
if it's a design decision, it's a silly one imo. why should i have to
work around django's ever-so-convenient "login_required" decorator to
prevent a deactivated user from viewing a page they're no longer
allowed to view? a deactivated user *shouldn't even be allowed to be
be logged in*, but there'
