Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Logout inactive user

See original GitHub issue

Describe the bug The @login_required decorator does not check if a user is active. I’m not sure if this was a design choice, but intuitively I would expect to be able to log a user out by deactivating it.

To Reproduce Steps to reproduce the behavior:

Create a user
Login with that user
Set user.is_active = False
User is still able to access view decorated with @login_required

Expected behavior Intuitively I would expect this line in the @login_required decorator

elif not current_user.is_authenticated:
    return current_app.login_manager.unauthorized()

to read

elif not (current_user.is_authenticated and current_user.is_active):
    return current_app.login_manager.unauthorized()

Screenshots NA

Desktop (please complete the following information):

OS: N/A
Browser [e.g. chrome, safari]: N/A
Version [e.g. 22]: 0.4.1 (I think it came as a dependency from flask-security)

Additional context Again, not sure whether it is a genuine bug or a misunderstanding from my side. We could get around it on our side by overriding user.is_authenticated in our User class to return super().is_authenticated and self.is_active.

Addressed in #489

Issue Analytics

State:
Created 3 years ago
Comments:8

Top GitHub Comments

1reaction

alanhamlettcommented, Jul 30, 2020

If @login_required checks the User.is_active property it leads people to not check is_active in their is_authenticated method. That leads to inactive users still able to access resources requiring login when manually checking current_user.is_authenticated. Instead, we’ll update UserMixin.is_authenticated to:

    @property
    def is_authenticated(self):
        return self.is_active

1reaction

WaizungTaamcommented, Apr 25, 2020

Setting a logged-in user inactive is meaningless. is_active = False prevents inactive users from logging in, and login_user() is doing the job.

To inactivate an already logged-in user, logout first, and then set is_active = False to prevent it from logging in again.

Top Results From Across the Web

Inactive Logout – WordPress plugin

Use the Inactive Logout plugin to automatically terminate idle user sessions, thus protecting the site if the users leave unattended sessions.

How to detect inactive user to auto logout by using idle timeout ...

How to detect inactive user to auto logout by using idle timeout in JavaScript, React, Angular and more? · Step 1: Create user...

Auto Logout Inactive Users After A Period Of Time In Linux

Method 1: ... This makes the user to logout automatically after an inactivity of 100 seconds. You can define this value as per...

How to Automatically Log Out Idle Users in WordPress

The first thing you need to do is install and activate the Inactive Logout plugin. For more details, see our step by step...

How to Automatically Logout Inactive Linux Users

Method 1: Use TMOUT to auto logout users from idle shell sessions. In bash and other shells, you can use the TMOUT variable...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Logout inactive user

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Docs: one link in "Login Exemple" is dead

Rebuild documentation