p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #24987 -- Allowed inactive users to login with the test client.

This commit is contained in:
Alexander Gaevsky 2016-02-05 21:03:06 +02:00 committed by Tim Graham
parent e0a3d93730
commit 107165c4b0
4 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
django/test/client.py
View File

@ -599,8 +599,7 @@ class Client(RequestFactory):
""" """
from django.contrib.auth import authenticate from django.contrib.auth import authenticate
user = authenticate(**credentials) user = authenticate(**credentials)
if (user and user.is_active and if user and apps.is_installed('django.contrib.sessions'):
apps.is_installed('django.contrib.sessions')):
self._login(user) self._login(user)
return True return True
else: else:

4
docs/releases/1.10.txt
View File

@ -678,6 +678,10 @@ Miscellaneous
:class:`~django.contrib.auth.backends.AllowAllUsersRemoteUserBackend` :class:`~django.contrib.auth.backends.AllowAllUsersRemoteUserBackend`
in :setting:`AUTHENTICATION_BACKENDS` instead. in :setting:`AUTHENTICATION_BACKENDS` instead.
* In light of the previous change, the test client's
:meth:`~django.test.Client.login()` method no longer always rejects inactive
users but instead delegates this decision to the authentication backend.
.. _deprecated-features-1.10: .. _deprecated-features-1.10:
Features deprecated in 1.10 Features deprecated in 1.10

13
docs/topics/testing/tools.txt
View File

@ -334,13 +334,6 @@ Use the ``django.test.Client`` class to make requests.
``login()`` method to simulate the effect of a user logging into the ``login()`` method to simulate the effect of a user logging into the
site. site.
Inactive users (:attr:`is_active=False
<django.contrib.auth.models.User.is_active>`) are not permitted to
login as this method is meant to be equivalent to the
:func:`~django.contrib.auth.login` view which uses
:class:`~django.contrib.auth.forms.AuthenticationForm` and therefore
defaults to rejecting users who are inactive.
After you call this method, the test client will have all the cookies After you call this method, the test client will have all the cookies
and session data required to pass any login-based tests that may form and session data required to pass any login-based tests that may form
part of a view. part of a view.
@ -378,6 +371,12 @@ Use the ``django.test.Client`` class to make requests.
:meth:`~django.contrib.auth.models.UserManager.create_user` helper :meth:`~django.contrib.auth.models.UserManager.create_user` helper
method to create a new user with a correctly hashed password. method to create a new user with a correctly hashed password.
.. versionchanged:: 1.10
In previous versions, inactive users (:attr:`is_active=False
<django.contrib.auth.models.User.is_active>`) were not permitted
to login.
.. method:: Client.force_login(user, backend=None) .. method:: Client.force_login(user, backend=None)
.. versionadded:: 1.9 .. versionadded:: 1.9

10
tests/test_client/tests.py
View File

@ -432,10 +432,14 @@ class ClientTest(TestCase):
self.assertFalse(login) self.assertFalse(login)
def test_view_with_inactive_login(self): def test_view_with_inactive_login(self):
"Request a page that is protected with @login, but use an inactive login" """
An inactive user may login if the authenticate backend allows it.
"""
credentials = {'username': 'inactive', 'password': 'password'}
self.assertFalse(self.client.login(**credentials))
login = self.client.login(username='inactive', password='password') with self.settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.AllowAllUsersModelBackend']):
self.assertFalse(login) self.assertTrue(self.client.login(**credentials))
@override_settings( @override_settings(
AUTHENTICATION_BACKENDS=[ AUTHENTICATION_BACKENDS=[