if it's a design decision, it's a silly one imo. why should i have to work around django's ever-so-convenient "login_required" decorator to prevent a deactivated user from viewing a page they're no longer allowed to view? a deactivated user *shouldn't even be allowed to be be logged in*, but there's no way (that i know of) the purge the session data for a given user on deactivation, and i can't just email them to politely ask them to log out.
On Mar 16, 4:48 pm, Gabriel Hurley <gab...@gmail.com> wrote: > The docs have this to say about is_active: > > "This doesn’t control whether or not the user can log in. Nothing in > the authentication path checks the is_active flag, so if you want to > reject a login based on is_active being False, it is up to you to > check that in your own login view. However, permission checking using > the methods like has_perm() does check this flag and will always > return False for inactive users." > > http://docs.djangoproject.com/en/1.1/topics/auth/#django.contrib.auth... > > So, if we're to believe the docs, this isn't a bug but a design > decision. > > All the best, > > - Gabriel > > On Mar 16, 1:53 pm, Sean Brant <brant.s...@gmail.com> wrote: > > > > > A co-worker of mine noticed this bug > > todayhttp://code.djangoproject.com/ticket/13125. > > Should it be marked for 1.2 or punt it until after the release > > candidate? It looks to be a bug so it could probably go in at anytime. > > Let me know your thoughts. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
