Here's an idea that might work better than a decorator: Create a setting called ALLOW_DEACTIVATED_LOGINS. Then modify auth.login() to enforce this as well as changing ModelBackend.get_user() to logout users whose accounts are disabled. Make the setting True by default in 1.4 and announce it'll be set to False in either 1.5 or 1.6.
This way is_active can be secure by default, not require users to implement its functionality themselves while also following the principle of least astonishment. The only confusing this about this solution is that users might not understand it doesn't affect the admin login form and auth.views.login On Mon, Sep 12, 2011 at 3:43 AM, Florian Apolloner <[email protected]>wrote: > Probably yeah, on the other hand the docs tell you that is_active doesn't > neccessarily have to be checked by backends, so if a backend allows to login > inactive users it makes no sense to check that flag in login_required… I > guess what I am proposing is that the login_required flag checks via the > auth backends whether or not the user should be allowed to pass, that way > all the neccessary checks stay in one place… > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/django-developers/-/A922lTjpZc8J. > > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
