Fixed #25232 -- Made ModelBackend/RemoteUserBackend reject inactive users.

2025-10-24 06:06:09 +00:00 · 2016-02-05 16:46:19 +02:00
parent 1555d50ea4
commit e0a3d93730
11 changed files with 216 additions and 30 deletions
--- a/docs/ref/contrib/auth.txt
+++ b/docs/ref/contrib/auth.txt
@@ -76,15 +76,26 @@ Fields

        This doesn't necessarily control whether or not the user can log in.
        Authentication backends aren't required to check for the ``is_active``
-        flag, and the default backends do not. If you want to reject a login
-        based on ``is_active`` being ``False``, it's up to you to check that in
-        your own login view or a custom authentication backend. However, the
+        flag but the default backend
+        (:class:`~django.contrib.auth.backends.ModelBackend`) and the
+        :class:`~django.contrib.auth.backends.RemoteUserBackend` do. You can
+        use :class:`~django.contrib.auth.backends.AllowAllUsersModelBackend`
+        or :class:`~django.contrib.auth.backends.AllowAllUsersRemoteUserBackend`
+        if you want to allow inactive users to login. In this case, you'll also
+        want to customize the
        :class:`~django.contrib.auth.forms.AuthenticationForm` used by the
-        :func:`~django.contrib.auth.views.login` view (which is the default)
-        *does* perform this check, as do the permission-checking methods such
-        as :meth:`~django.contrib.auth.models.User.has_perm` and the
-        authentication in the Django admin. All of those functions/methods will
-        return ``False`` for inactive users.
+        :func:`~django.contrib.auth.views.login` view as it rejects inactive
+        users. Be aware that the permission-checking methods such as
+        :meth:`~django.contrib.auth.models.User.has_perm` and the
+        authentication in the Django admin all return ``False`` for inactive
+        users.
+
+        .. versionchanged:: 1.10
+
+            In older versions,
+            :class:`~django.contrib.auth.backends.ModelBackend` and
+            :class:`~django.contrib.auth.backends.RemoteUserBackend` allowed
+            inactive users to authenticate.

    .. attribute:: is_superuser

@@ -488,6 +499,32 @@ The following backends are available in :mod:`django.contrib.auth.backends`:
        Returns whether the ``user_obj`` has any permissions on the app
        ``app_label``.

+    .. method:: ModelBackend.user_can_authenticate()
+
+        .. versionadded:: 1.10
+
+        Returns whether the user is allowed to authenticate. To match the
+        behavior of :class:`~django.contrib.auth.forms.AuthenticationForm`
+        which :meth:`prohibits inactive users from logging in
+        <django.contrib.auth.forms.AuthenticationForm.confirm_login_allowed>`,
+        this method returns ``False`` for users with :attr:`is_active=False
+        <django.contrib.auth.models.User.is_active>`. Custom user models that
+        don't have an :attr:`~django.contrib.auth.models.CustomUser.is_active`
+        field are allowed.
+
+.. class:: AllowAllUsersModelBackend
+
+   .. versionadded:: 1.10
+
+   Same as :class:`ModelBackend` except that it doesn't reject inactive users
+   because :meth:`~ModelBackend.user_can_authenticate` always returns ``True``.
+
+   When using this backend, you'll likely want to customize the
+   :class:`~django.contrib.auth.forms.AuthenticationForm` used by the
+   :func:`~django.contrib.auth.views.login` view by overriding the
+   :meth:`~django.contrib.auth.forms.AuthenticationForm.confirm_login_allowed`
+   method as it rejects inactive users.
+
 .. class:: RemoteUserBackend

    Use this backend to take advantage of external-to-Django-handled
@@ -529,3 +566,21 @@ The following backends are available in :mod:`django.contrib.auth.backends`:
   new user is created, and can be used to perform custom setup actions, such
   as setting the user's groups based on attributes in an LDAP directory.
   Returns the user object.
+
+.. method:: RemoteUserBackend.user_can_authenticate()
+
+    .. versionadded:: 1.10
+
+    Returns whether the user is allowed to authenticate. This method returns
+    ``False`` for users with :attr:`is_active=False
+    <django.contrib.auth.models.User.is_active>`. Custom user models that don't
+    have an :attr:`~django.contrib.auth.models.CustomUser.is_active` field are
+    allowed.
+
+.. class:: AllowAllUsersRemoteUserBackend
+
+   .. versionadded:: 1.10
+
+   Same as :class:`RemoteUserBackend` except that it doesn't reject inactive
+   users because :attr:`~RemoteUserBackend.user_can_authenticate` always
+   returns ``True``.