Django: How do I use is_active of auth_user table?

python django python-2.7 authentication django-models

17,797

Solution 1

from django.contrib.auth import authenticate
user = authenticate(username='john', password='secret')
if user is not None:  #to check whether user is available or not?
    # the password verified for the user
    if user.is_active:   
        print("User is valid, active and authenticated")
    else:
        print("The password is valid, but the account has been disabled!")
else:
    # the authentication system was unable to verify the username and password
    print("The username and password were incorrect.")

This will be helpful for you to understand django authentication.

Solution 2

An inactive user is one that has its is_active field set to False.

As of django version 1.10: The ModelBackend (the default authentication backend) and RemoteUserBackend authentication backend prohibits these inactive users from authenticating. So, if you use those backends you won't need to use the following style:

#authentication has been successful now...
if user.is_active:
    login(request,user)
    #redirect to success page
else:
    #return disabled account error message

If a custom user model doesn’t have an is_active field, all users will be allowed to authenticate. Previous to version 1.10 ModelBackend allowed inactive users to authenticate- this was useful first where you allowed the user to authenticate and then you allowed a user to activate their account (only after they had successfully authenticated).

Please note that the @login_required decorator does not check for the is_active flag on the user. @login_required

check AUTHENTICATION_BACKENDS to see which ones you are using. see https://docs.djangoproject.com/en/1.10/topics/auth/customizing/

17,797

Author by

Burger King

Updated on June 11, 2022

Comments

Burger King almost 2 years

I don't know what it is good time to use the param.

djangoproject it describes below:

Boolean. Designates whether this user account should be considered active. We recommend that you set this flag to False instead of deleting accounts; that way, if your applications have any foreign keys to users, the foreign keys won’t break.

This doesn’t necessarily control whether or not the user can log in. Authentication backends aren’t required to check for the is_active flag, and the default backends do not. If you want to reject a login based on is_active being False, it’s up to you to check that in your own login view or a custom authentication backend. However, the AuthenticationForm used by the login() view (which is the default) does perform this check, as do the permission-checking methods such as has_perm() and the authentication in the Django admin. All of those functions/methods will return False for inactive users.

readthedocs it describes below:

Authorization for inactive users

An inactive user is a one that is authenticated but has its attribute is_active set to False. However this does not mean they are not authorized to do anything. For example they are allowed to activate their account.

The support for anonymous users in the permission system allows for a scenario where anonymous users have permissions to do something while inactive authenticated users do not.

Do not forget to test for the is_active attribute of the user in your own backend permission methods.

Anyone can give some example that let me know the param needs to notice or how to use it.
Ibrahim Berber almost 3 years

Please provide explanation with your answers. Simply posting code does not spread knowledge of integral scripting processes which helps people understand the logic and reasoning behind your answer.