Fixed #25232 -- Made ModelBackend/RemoteUserBackend reject inactive users.

author: Alexander Gaevsky <sasha@sasha0.ru> 2016-02-05 16:46:19 +0200
committer: Tim Graham <timograham@gmail.com> 2016-03-23 09:01:48 -0400
commit: e0a3d937309a82b8beea8f41b17d8b6298da2a86 (patch)
tree: 0e6cd936b358687686a1f3b99b726da3c6a5ac5f /tests
parent: 1555d50ea40f22524b58e71bf15f3fc69a7c9591 (diff)
6 files changed, 91 insertions, 11 deletions
diff --git a/tests/auth_tests/models/__init__.py b/tests/auth_tests/models/__init__.py
index d7275e177f..d3e6c73d90 100644
--- a/tests/auth_tests/models/__init__.py
+++ b/tests/auth_tests/models/__init__.py
@@ -1,12 +1,14 @@
 from .custom_permissions import CustomPermissionsUser
-from .custom_user import CustomUser, ExtensionUser
+from .custom_user import (
+    CustomUser, CustomUserWithoutIsActiveField, ExtensionUser,
+)
 from .invalid_models import CustomUserNonUniqueUsername
 from .is_active import IsActiveTestUser1
 from .uuid_pk import UUIDUser
 from .with_foreign_key import CustomUserWithFK, Email
 
 __all__ = (
-    'CustomUser', 'CustomPermissionsUser', 'CustomUserWithFK', 'Email',
-    'ExtensionUser', 'IsActiveTestUser1', 'UUIDUser',
-    'CustomUserNonUniqueUsername',
+    'CustomUser', 'CustomUserWithoutIsActiveField', 'CustomPermissionsUser',
+    'CustomUserWithFK', 'Email', 'ExtensionUser', 'IsActiveTestUser1',
+    'UUIDUser', 'CustomUserNonUniqueUsername',
 )
diff --git a/tests/auth_tests/models/custom_user.py b/tests/auth_tests/models/custom_user.py
index 62dbf9c8be..469cada31e 100644
--- a/tests/auth_tests/models/custom_user.py
+++ b/tests/auth_tests/models/custom_user.py
@@ -97,6 +97,15 @@ class RemoveGroupsAndPermissions(object):
         PermissionsMixin._meta.local_many_to_many = self._old_pm_local_m2m
 
 
+class CustomUserWithoutIsActiveField(AbstractBaseUser):
+    username = models.CharField(max_length=150, unique=True)
+    email = models.EmailField(unique=True)
+
+    objects = UserManager()
+
+    USERNAME_FIELD = 'username'
+
+
 # The extension user is a simple extension of the built-in user class,
 # adding a required date_of_birth field. This allows us to check for
 # any hard references to the name "User" in forms/handlers etc.
diff --git a/tests/auth_tests/test_auth_backends.py b/tests/auth_tests/test_auth_backends.py
index fee1a66bd4..e3c0109c96 100644
--- a/tests/auth_tests/test_auth_backends.py
+++ b/tests/auth_tests/test_auth_backends.py
@@ -15,7 +15,10 @@ from django.test import (
     SimpleTestCase, TestCase, modify_settings, override_settings,
 )
 
-from .models import CustomPermissionsUser, CustomUser, ExtensionUser, UUIDUser
+from .models import (
+    CustomPermissionsUser, CustomUser, CustomUserWithoutIsActiveField,
+    ExtensionUser, UUIDUser,
+)
 
 
 class CountingMD5PasswordHasher(MD5PasswordHasher):
@@ -200,19 +203,35 @@ class ModelBackendTest(BaseModelBackendTest, TestCase):
     Tests for the ModelBackend using the default User model.
     """
     UserModel = User
+    user_credentials = {'username': 'test', 'password': 'test'}
 
     def create_users(self):
-        self.user = User.objects.create_user(
-            username='test',
-            email='test@example.com',
-            password='test',
-        )
+        self.user = User.objects.create_user(email='test@example.com', **self.user_credentials)
         self.superuser = User.objects.create_superuser(
             username='test2',
             email='test2@example.com',
             password='test',
         )
 
+    def test_authenticate_inactive(self):
+        """
+        An inactive user can't authenticate.
+        """
+        self.assertEqual(authenticate(**self.user_credentials), self.user)
+        self.user.is_active = False
+        self.user.save()
+        self.assertIsNone(authenticate(**self.user_credentials))
+
+    @override_settings(AUTH_USER_MODEL='auth_tests.CustomUserWithoutIsActiveField')
+    def test_authenticate_user_without_is_active_field(self):
+        """
+        A custom user without an `is_active` field is allowed to authenticate.
+        """
+        user = CustomUserWithoutIsActiveField.objects._create_user(
+            username='test', email='test@example.com', password='test',
+        )
+        self.assertEqual(authenticate(username='test', password='test'), user)
+
 
 @override_settings(AUTH_USER_MODEL='auth_tests.ExtensionUser')
 class ExtensionUserModelBackendTest(BaseModelBackendTest, TestCase):
@@ -676,3 +695,29 @@ class SelectingBackendTests(TestCase):
         user = User.objects.create_user(self.username, 'email', self.password)
         self.client._login(user, self.other_backend)
         self.assertBackendInSession(self.other_backend)
+
+
+@override_settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.AllowAllUsersModelBackend'])
+class AllowAllUsersModelBackendTest(TestCase):
+    """
+    Inactive users may authenticate with the AllowAllUsersModelBackend.
+    """
+    user_credentials = {'username': 'test', 'password': 'test'}
+
+    @classmethod
+    def setUpTestData(cls):
+        cls.user = User.objects.create_user(
+            email='test@example.com', is_active=False,
+            **cls.user_credentials
+        )
+
+    def test_authenticate(self):
+        self.assertFalse(self.user.is_active)
+        self.assertEqual(authenticate(**self.user_credentials), self.user)
+
+    def test_get_user(self):
+        self.client.force_login(self.user)
+        request = HttpRequest()
+        request.session = self.client.session
+        user = get_user(request)
+        self.assertEqual(user, self.user)
diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
index f43a814c88..0e0ba71504 100644
--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
@@ -166,6 +166,9 @@ class UserCreationFormTest(TestDataMixin, TestCase):
         self.assertEqual(form.cleaned_data['password2'], data['password2'])
 
 
+# To verify that the login form rejects inactive users, use an authentication
+# backend that allows them.
+@override_settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.AllowAllUsersModelBackend'])
 class AuthenticationFormTest(TestDataMixin, TestCase):
 
     def test_invalid_username(self):
diff --git a/tests/auth_tests/test_remote_user.py b/tests/auth_tests/test_remote_user.py
index a413b97ee4..4e916d80ec 100644
--- a/tests/auth_tests/test_remote_user.py
+++ b/tests/auth_tests/test_remote_user.py
@@ -145,6 +145,11 @@ class RemoteUserTest(TestCase):
         # In backends that do not create new users, it is '' (anonymous user)
         self.assertNotEqual(response.context['user'].username, 'knownuser')
 
+    def test_inactive_user(self):
+        User.objects.create(username='knownuser', is_active=False)
+        response = self.client.get('/remote_user/', **{self.header: 'knownuser'})
+        self.assertTrue(response.context['user'].is_anonymous())
+
 
 class RemoteUserNoCreateBackend(RemoteUserBackend):
     """Backend that doesn't create unknown users."""
@@ -166,6 +171,16 @@ class RemoteUserNoCreateTest(RemoteUserTest):
         self.assertEqual(User.objects.count(), num_users)
 
 
+class AllowAllUsersRemoteUserBackendTest(RemoteUserTest):
+    """Backend that allows inactive users."""
+    backend = 'django.contrib.auth.backends.AllowAllUsersRemoteUserBackend'
+
+    def test_inactive_user(self):
+        user = User.objects.create(username='knownuser', is_active=False)
+        response = self.client.get('/remote_user/', **{self.header: self.known_user})
+        self.assertEqual(response.context['user'].username, user.username)
+
+
 class CustomRemoteUserBackend(RemoteUserBackend):
     """
     Backend that overrides RemoteUserBackend methods.
diff --git a/tests/test_client/tests.py b/tests/test_client/tests.py
index 741dd0be54..2ffc1d6896 100644
--- a/tests/test_client/tests.py
+++ b/tests/test_client/tests.py
@@ -437,6 +437,12 @@ class ClientTest(TestCase):
         login = self.client.login(username='inactive', password='password')
         self.assertFalse(login)
 
+    @override_settings(
+        AUTHENTICATION_BACKENDS=[
+            'django.contrib.auth.backends.ModelBackend',
+            'django.contrib.auth.backends.AllowAllUsersModelBackend',
+        ]
+    )
     def test_view_with_inactive_force_login(self):
         "Request a page that is protected with @login, but use an inactive login"
 
@@ -445,7 +451,7 @@ class ClientTest(TestCase):
         self.assertRedirects(response, '/accounts/login/?next=/login_protected_view/')
 
         # Log in
-        self.client.force_login(self.u2)
+        self.client.force_login(self.u2, backend='django.contrib.auth.backends.AllowAllUsersModelBackend')
 
         # Request a page that requires a login
         response = self.client.get('/login_protected_view/')
author	Alexander Gaevsky <sasha@sasha0.ru>	2016-02-05 16:46:19 +0200
committer	Tim Graham <timograham@gmail.com>	2016-03-23 09:01:48 -0400
commit	e0a3d937309a82b8beea8f41b17d8b6298da2a86 (patch)
tree	0e6cd936b358687686a1f3b99b726da3c6a5ac5f /tests
parent	1555d50ea40f22524b58e71bf15f3fc69a7c9591 (diff)