Fixed #25232 -- Made ModelBackend/RemoteUserBackend reject inactive users.

tests/auth_tests/models/__init__.py

@@ -1,12 +1,14 @@
 from .custom_permissions import CustomPermissionsUser
-from .custom_user import CustomUser, ExtensionUser
+from .custom_user import (
+    CustomUser, CustomUserWithoutIsActiveField, ExtensionUser,
+)
 from .invalid_models import CustomUserNonUniqueUsername
 from .is_active import IsActiveTestUser1
 from .uuid_pk import UUIDUser
 from .with_foreign_key import CustomUserWithFK, Email
 
 __all__ = (
-    'CustomUser', 'CustomPermissionsUser', 'CustomUserWithFK', 'Email',
-    'ExtensionUser', 'IsActiveTestUser1', 'UUIDUser',
-    'CustomUserNonUniqueUsername',
+    'CustomUser', 'CustomUserWithoutIsActiveField', 'CustomPermissionsUser',
+    'CustomUserWithFK', 'Email', 'ExtensionUser', 'IsActiveTestUser1',
+    'UUIDUser', 'CustomUserNonUniqueUsername',
 )

tests/auth_tests/models/custom_user.py

@@ -97,6 +97,15 @@ class RemoveGroupsAndPermissions(object):
         PermissionsMixin._meta.local_many_to_many = self._old_pm_local_m2m
 
 
+class CustomUserWithoutIsActiveField(AbstractBaseUser):
+    username = models.CharField(max_length=150, unique=True)
+    email = models.EmailField(unique=True)
+
+    objects = UserManager()
+
+    USERNAME_FIELD = 'username'
+
+
 # The extension user is a simple extension of the built-in user class,
 # adding a required date_of_birth field. This allows us to check for
 # any hard references to the name "User" in forms/handlers etc.

tests/auth_tests/test_auth_backends.py

@@ -15,7 +15,10 @@ from django.test import (
     SimpleTestCase, TestCase, modify_settings, override_settings,
 )
 
-from .models import CustomPermissionsUser, CustomUser, ExtensionUser, UUIDUser
+from .models import (
+    CustomPermissionsUser, CustomUser, CustomUserWithoutIsActiveField,
+    ExtensionUser, UUIDUser,
+)
 
 
 class CountingMD5PasswordHasher(MD5PasswordHasher):
@@ -200,19 +203,35 @@ class ModelBackendTest(BaseModelBackendTest, TestCase):
     Tests for the ModelBackend using the default User model.
     """
     UserModel = User
+    user_credentials = {'username': 'test', 'password': 'test'}
 
     def create_users(self):
-        self.user = User.objects.create_user(
-            username='test',
-            email='test@example.com',
-            password='test',
-        )
+        self.user = User.objects.create_user(email='test@example.com', **self.user_credentials)
         self.superuser = User.objects.create_superuser(
             username='test2',
             email='test2@example.com',
             password='test',
         )
 
+    def test_authenticate_inactive(self):
+        """
+        An inactive user can't authenticate.
+        """
+        self.assertEqual(authenticate(**self.user_credentials), self.user)
+        self.user.is_active = False
+        self.user.save()
+        self.assertIsNone(authenticate(**self.user_credentials))
+
+    @override_settings(AUTH_USER_MODEL='auth_tests.CustomUserWithoutIsActiveField')
+    def test_authenticate_user_without_is_active_field(self):
+        """
+        A custom user without an `is_active` field is allowed to authenticate.
+        """
+        user = CustomUserWithoutIsActiveField.objects._create_user(
+            username='test', email='test@example.com', password='test',
+        )
+        self.assertEqual(authenticate(username='test', password='test'), user)
+
 
 @override_settings(AUTH_USER_MODEL='auth_tests.ExtensionUser')
 class ExtensionUserModelBackendTest(BaseModelBackendTest, TestCase):
@@ -676,3 +695,29 @@ class SelectingBackendTests(TestCase):
         user = User.objects.create_user(self.username, 'email', self.password)
         self.client._login(user, self.other_backend)
         self.assertBackendInSession(self.other_backend)
+
+
+@override_settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.AllowAllUsersModelBackend'])
+class AllowAllUsersModelBackendTest(TestCase):
+    """
+    Inactive users may authenticate with the AllowAllUsersModelBackend.
+    """
+    user_credentials = {'username': 'test', 'password': 'test'}
+
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = User.objects.create_user(
+            email='test@example.com', is_active=False,
+            **cls.user_credentials
+        )
+
+    def test_authenticate(self):
+        self.assertFalse(self.user.is_active)
+        self.assertEqual(authenticate(**self.user_credentials), self.user)
+
+    def test_get_user(self):
+        self.client.force_login(self.user)
+        request = HttpRequest()
+        request.session = self.client.session
+        user = get_user(request)
+        self.assertEqual(user, self.user)

tests/auth_tests/test_forms.py

@@ -166,6 +166,9 @@ class UserCreationFormTest(TestDataMixin, TestCase):
         self.assertEqual(form.cleaned_data['password2'], data['password2'])
 
 
+# To verify that the login form rejects inactive users, use an authentication
+# backend that allows them.
+@override_settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.AllowAllUsersModelBackend'])
 class AuthenticationFormTest(TestDataMixin, TestCase):
 
     def test_invalid_username(self):

tests/auth_tests/test_remote_user.py

@@ -145,6 +145,11 @@ class RemoteUserTest(TestCase):
         # In backends that do not create new users, it is '' (anonymous user)
         self.assertNotEqual(response.context['user'].username, 'knownuser')
 
+    def test_inactive_user(self):
+        User.objects.create(username='knownuser', is_active=False)
+        response = self.client.get('/remote_user/', **{self.header: 'knownuser'})
+        self.assertTrue(response.context['user'].is_anonymous())
+
 
 class RemoteUserNoCreateBackend(RemoteUserBackend):
     """Backend that doesn't create unknown users."""
@@ -166,6 +171,16 @@ class RemoteUserNoCreateTest(RemoteUserTest):
         self.assertEqual(User.objects.count(), num_users)
 
 
+class AllowAllUsersRemoteUserBackendTest(RemoteUserTest):
+    """Backend that allows inactive users."""
+    backend = 'django.contrib.auth.backends.AllowAllUsersRemoteUserBackend'
+
+    def test_inactive_user(self):
+        user = User.objects.create(username='knownuser', is_active=False)
+        response = self.client.get('/remote_user/', **{self.header: self.known_user})
+        self.assertEqual(response.context['user'].username, user.username)
+
+
 class CustomRemoteUserBackend(RemoteUserBackend):
     """
     Backend that overrides RemoteUserBackend methods.