Make permission framework aware of deactivated users
jacobtylerwalls opened this issue · 0 comments
jacobtylerwalls commented
The User model has an is_active flag to allow admins to soft-delete a user by revoking their access without actually removing them and their associated data from the system.
The default ModelBackend authentication backend already takes this into account.
However, the 7.6 permissions framework doesn't seem to take this into account anywhere.
Test case for PermissionsTest:
def test_inactive_user(self):
self.user.is_active = False
self.user.save()
implicit_permission = user_can_read_resource(
self.user, self.resource_instance_id
)
self.assertIs(implicit_permission, False)======================================================================
FAIL: test_inactive_user (tests.permissions.permission_tests.PermissionTests.test_inactive_user)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/jwalls/prj/arches/tests/permissions/permission_tests.py", line 128, in test_inactive_user
self.assertIs(implicit_permission, False)
AssertionError: True is not False
----------------------------------------------------------------------
Ran 2 tests in 5.367s
FAILED (failures=1)