Fixed #24987 -- Allowed inactive users to login with the test client.

2016-02-05 21:03:06 +02:00 · 2016-02-05 21:03:06 +02:00 · 107165c4b0
parent e0a3d93730
commit 107165c4b0
4 changed files with 18 additions and 12 deletions
--- a/django/test/client.py
+++ b/django/test/client.py
@ -599,8 +599,7 @@ class Client(RequestFactory):
        """
        from django.contrib.auth import authenticate
        user = authenticate(**credentials)
-        if (user and user.is_active and
-                apps.is_installed('django.contrib.sessions')):
+        if user and apps.is_installed('django.contrib.sessions'):
            self._login(user)
            return True
        else:
--- a/docs/releases/1.10.txt
+++ b/docs/releases/1.10.txt
@ -678,6 +678,10 @@ Miscellaneous
  :class:`~django.contrib.auth.backends.AllowAllUsersRemoteUserBackend`
  in :setting:`AUTHENTICATION_BACKENDS` instead.

+* In light of the previous change, the test client's
+  :meth:`~django.test.Client.login()` method no longer always rejects inactive
+  users but instead delegates this decision to the authentication backend.
+
 .. _deprecated-features-1.10:

 Features deprecated in 1.10
--- a/docs/topics/testing/tools.txt
+++ b/docs/topics/testing/tools.txt
@ -334,13 +334,6 @@ Use the ``django.test.Client`` class to make requests.
        ``login()`` method to simulate the effect of a user logging into the
        site.

-        Inactive users (:attr:`is_active=False
-        <django.contrib.auth.models.User.is_active>`) are not permitted to
-        login as this method is meant to be equivalent to the
-        :func:`~django.contrib.auth.login` view which uses
-        :class:`~django.contrib.auth.forms.AuthenticationForm` and therefore
-        defaults to rejecting users who are inactive.
-
        After you call this method, the test client will have all the cookies
        and session data required to pass any login-based tests that may form
        part of a view.
@ -378,6 +371,12 @@ Use the ``django.test.Client`` class to make requests.
        :meth:`~django.contrib.auth.models.UserManager.create_user` helper
        method to create a new user with a correctly hashed password.

+        .. versionchanged:: 1.10
+
+            In previous versions, inactive users (:attr:`is_active=False
+            <django.contrib.auth.models.User.is_active>`) were not permitted
+            to login.
+
    .. method:: Client.force_login(user, backend=None)

        .. versionadded:: 1.9
--- a/tests/test_client/tests.py
+++ b/tests/test_client/tests.py
@ -432,10 +432,14 @@ class ClientTest(TestCase):
        self.assertFalse(login)

    def test_view_with_inactive_login(self):
-        "Request a page that is protected with @login, but use an inactive login"
+        """
+        An inactive user may login if the authenticate backend allows it.
+        """
+        credentials = {'username': 'inactive', 'password': 'password'}
+        self.assertFalse(self.client.login(**credentials))

-        login = self.client.login(username='inactive', password='password')
-        self.assertFalse(login)
+        with self.settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.AllowAllUsersModelBackend']):
+            self.assertTrue(self.client.login(**credentials))

    @override_settings(
        AUTHENTICATION_BACKENDS=[