Fixed #28645 -- Reallowed AuthenticationForm to raise the inactive user error when using ModelBackend.

Regression in e0a3d93730. Thanks Guilherme Junqueira for the report and Tim Graham for the review.
2017-11-08 16:32:49 +08:00 · 2017-11-08 16:32:49 +08:00 · 359370a8b8
parent 3ae9c356c5
commit 359370a8b8
3 changed files with 13 additions and 4 deletions
--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
@ -192,6 +192,15 @@ class AuthenticationForm(forms.Form):
        if username is not None and password:
            self.user_cache = authenticate(self.request, username=username, password=password)
            if self.user_cache is None:
+                # An authentication backend may reject inactive users. Check
+                # if the user exists and is inactive, and raise the 'inactive'
+                # error if so.
+                try:
+                    self.user_cache = UserModel._default_manager.get_by_natural_key(username)
+                except UserModel.DoesNotExist:
+                    pass
+                else:
+                    self.confirm_login_allowed(self.user_cache)
                raise self.get_invalid_login_error()
            else:
                self.confirm_login_allowed(self.user_cache)
--- a/docs/releases/1.11.8.txt
+++ b/docs/releases/1.11.8.txt
@ -9,4 +9,5 @@ Django 1.11.8 fixes several bugs in 1.11.7.
 Bugfixes
 ========

-* ...
+* Reallowed, following a regression in Django 1.10, ``AuthenticationForm`` to
+  raise the inactive user error when using ``ModelBackend`` (:ticket:`28645`).
--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
@ -262,9 +262,6 @@ class UserCreationFormTest(TestDataMixin, TestCase):
        )


-# To verify that the login form rejects inactive users, use an authentication
-# backend that allows them.
-@override_settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.AllowAllUsersModelBackend'])
 class AuthenticationFormTest(TestDataMixin, TestCase):

    def test_invalid_username(self):
@ -323,6 +320,8 @@ class AuthenticationFormTest(TestDataMixin, TestCase):
            self.assertFalse(form.is_valid())
            self.assertEqual(form.non_field_errors(), [str(form.error_messages['inactive'])])

+    # Use an authentication backend that allows inactive users.
+    @override_settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.AllowAllUsersModelBackend'])
    def test_custom_login_allowed_policy(self):
        # The user is inactive, but our custom form policy allows them to log in.
        data = {