[Django] #34002: PasswordResetView cannot find is_active property of User model extending AbstractBaseUser
Django
AbstractBaseUser
-------------------------------------+-------------------------------------
Reporter: Brylie | Owner: nobody
Christopher Oxley |
Type: | Status: new
Uncategorized |
Component: | Version: 4.1
contrib.auth |
Severity: Normal | Keywords:
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
I have a user model that extends AbstractBaseUser. When trying to reset a
user password via the django.contrib.auth.views.PasswordResetView, I get
the following error:
FieldError at /accounts/password_reset/
Cannot resolve keyword 'is_active' into field.
While the AbstractBaseUser class does have an is_active property set to
True, it seems that the PasswordResetView is somehow excluding this
property.
The issue is resolved by adding an is_active BooleanField to my User
model, but seems like a bug in PasswordResetView.
--
Ticket URL: <https://code.djangoproject.com/ticket/34002>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
AbstractBaseUser
-------------------------------------+-------------------------------------
Oxley |
Type: Uncategorized | Status: closed
Component: contrib.auth | Version: 4.1
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: new => closed
* resolution: => invalid
Comment:
This is a
[https://docs.djangoproject.com/en/stable/topics/auth/customizing/#custom-
users-and-the-built-in-auth-forms documented limitation]:
> ''"`PasswordResetForm`: Assumes that the user model has a field that
stores the user’s email address with the name returned by
`get_email_field_name()` (`email` by default) that can be used to identify
the user **and a boolean field named `is_active`** to prevent password
resets for inactive users."''
--
Ticket URL: <https://code.djangoproject.com/ticket/34002#comment:1>
Django
AbstractBaseUser
-------------------------------------+-------------------------------------
Reporter: Brylie Christopher | Owner: nobody
Oxley |
Type: Uncategorized | Status: closed
Component: contrib.auth | Version: 4.1
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Brylie Christopher Oxley):
Thanks for pointing me to the docs Mariusz.
I still believe this is a bug for a couple of reasons. First, Django is
inconsistent since the AbstractBaseUser can't be used in the standard
password reset views, despite having the ''is_active'' boolean property.
Likewise, the default Django password reset flow is not resilient to User
models that don't have ''is_active'' defined as a field, even when the
downstream project may not need an activation flow (or use the same model
field/property).
I believe there could actually be a middle ground here if we could give
this issue a bit more time for consideration, rather than immediately
dismissing it as invalid. One solution could be to check for the existence
of the ''is_active'' property/field and run the relevant checks only if
the field/property has a value.
From what I understand, some contributor has likely added the
''is_active'' boolean property to the AbstractBaseUser model to harmonize
it with other parts of the authentication framework. Conversely, the
different parts of the authentication framework, namely the password reset
flow, could be made more resilient to the absence of an ''is_active''
field/property.
--
Ticket URL: <https://code.djangoproject.com/ticket/34002#comment:2>