Django - user is_active

Question

This is my user authentication method:

def user_login(request):
    if request.method == 'POST':
        username = request.POST.get('username')
        password = request.POST.get('password')
        user = authenticate(username=username, password=password)

        if user:
            if user.is_active:
                login(request, user)
                return HttpResponseRedirect(reverse('index'))
            else:
                print('TEST')
                messages.info(request, 'Inactive user')
                return HttpResponseRedirect(reverse('index'))
        else:
            messages.error(request, 'Invalid username/password!')
        return HttpResponseRedirect(reverse('index'))
    else:
        return render(request, 'mainapp/login.html', {})

If user exists and is not active wrong message appears:

messages.error(request, 'Invalid username/password!')
return HttpResponseRedirect(reverse('index'))

instead of:

print('TEST')
messages.info(request, 'Inactive user')
return HttpResponseRedirect(reverse('index'))

I don't have any idea what is wrong here... Any clues?

Django comes with [authentication views](https://docs.djangoproject.com/en/1.10/topics/auth/default/#module-django.contrib.auth.views) including a login view. You don't have to write your own! — Alasdair, Apr 03 '17 at 12:24

score 28 · Accepted Answer · answered Apr 03 '17 at 12:22

28

The default ModelBackend authentication backend started rejecting inactive users in Django 1.10. Therefore your authenticate() call returns None, and you get the Invalid username/password! message from the outer if/else statement.

As Daniel says, if you use the default ModelBackend, you no longer need to check user.is_active in your login view.

If you really want authenticate to return inactive users, then you can use AllowAllUsersModelBackend instead. If you do this, then it is your responsibility to check the is_active flag in your login view.

AUTHENTICATION_BACKENDS = ['django.contrib.auth.backends.AllowAllUsersModelBackend']

answered Apr 03 '17 at 12:22

Alasdair

298,606
55
578
516

I tried this and solved the problem, one question though. are there any downsides with using this? – Isaac Hatilima Feb 16 '23 at 08:50
1

@IsaacHatilima it can useful to set `is_active=False` to prevent a user from logging in. If you change this then you’ll lose that ability. Whether that’s a downside depends on your requirements. – Alasdair Feb 18 '23 at 16:33

score 6 · Answer 2 · answered Apr 03 '17 at 12:13

6

The call to authenticate already checks that the user has the is_active flag set, and returns None if not. There is no need to check it separately.

answered Apr 03 '17 at 12:13

Daniel Roseman

588,541
66
880
895

3

How then I check if user exists but is inactive? – jundymek Apr 03 '17 at 12:22
1

Why do you want to? – Daniel Roseman Apr 03 '17 at 12:24
1

I am just learning Django and since there is "is_active" flag I would like to know how can I use it. – jundymek Apr 03 '17 at 12:30
1

One reason might be to display validation error for a disabled / inactive user to inform them that they are no-longer active? – Jarad Mar 28 '18 at 22:41
2

in django 1.9, ``authenticate`` won't check ``user.is_active`` but in django 2.1 this is automatically checked. see [django 1.9 doc](https://docs.djangoproject.com/en/1.9/ref/contrib/auth/#django.contrib.auth.models.User.is_active) and [django 2.1 doc](https://docs.djangoproject.com/en/2.1/ref/contrib/auth/#django.contrib.auth.models.User.is_active) – youkaichao Oct 15 '18 at 03:03

Django - user is_active

2 Answers2

Linked