On Mon, Nov 10, 2008 at 2:49 PM, Sebastian Bauer <[EMAIL PROTECTED]> wrote: > > Hello, i think login_required should check that user is not only > authenticated, but also if is active. What do you think about this change? >
I see two problems with this: 1. This current behavior is fully documented [1]. In relevant part, the documentation says: > This doesn't control whether or not the user can log > in. Nothing in the authentication path checks the > is_active flag, so if you want to reject a login based > on is_active being False, it is up to you to check that > in your own login view. However, permission checking > using the methods like has_perm() does check this > flag and will always return False for inactive users. 2. Many people have expected the current behavior for some time and such a change would be backward incompatible. Although, I do see that the documentation specific to the login_required view does not specifically mention the behavior. Perhaps a note there would be beneficial. [1]: http://docs.djangoproject.com/en/dev/topics/auth/#api-reference -- ---- Waylan Limberg [EMAIL PROTECTED] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---