diff options
Diffstat (limited to 'tests/auth_tests/test_forms.py')
| -rw-r--r-- | tests/auth_tests/test_forms.py | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py index 7d8b5f7486..7690b62514 100644 --- a/tests/auth_tests/test_forms.py +++ b/tests/auth_tests/test_forms.py @@ -262,6 +262,9 @@ class UserCreationFormTest(TestDataMixin, TestCase): ) +# To verify that the login form rejects inactive users, use an authentication +# backend that allows them. +@override_settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.AllowAllUsersModelBackend']) class AuthenticationFormTest(TestDataMixin, TestCase): def test_invalid_username(self): @@ -291,6 +294,24 @@ class AuthenticationFormTest(TestDataMixin, TestCase): self.assertFalse(form.is_valid()) self.assertEqual(form.non_field_errors(), [str(form.error_messages['inactive'])]) + # Use an authentication backend that rejects inactive users. + @override_settings(AUTHENTICATION_BACKENDS=['django.contrib.auth.backends.ModelBackend']) + def test_inactive_user_incorrect_password(self): + """An invalid login doesn't leak the inactive status of a user.""" + data = { + 'username': 'inactive', + 'password': 'incorrect', + } + form = AuthenticationForm(None, data) + self.assertFalse(form.is_valid()) + self.assertEqual( + form.non_field_errors(), [ + form.error_messages['invalid_login'] % { + 'username': User._meta.get_field('username').verbose_name + } + ] + ) + def test_login_failed(self): signal_calls = [] |