The case is as follows: 1. An active user is logged in and has a valid session. 2. The user is inactivated by a system admin, who wants to disable the user. 3. Because the user is still logged in, (maybe for two weeks, or for whatever expiration time the developer has set), he passes the login_required decorator, and still can see those pages which we naively thought were being protected by the login_required decorator, because that decorator doesn't check for is_active.
This patch is a patch for that problem. Wim On 10 sep, 23:09, Florian Apolloner <f.apollo...@gmail.com> wrote: > Stupid question, but why do you let inactive users login at all? I mean is > this really a problem of the decorator and not of the login system you use?! -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
