o ëË·e×ã@sfddlmZddlmZddlmZddlmZddlmZddlm Z m Z eƒa Gd d „d eƒZ d S) é)Úlocal)Ú ModelBackendé)Úget_user_modelé)Ú app_settings)ÚAuthenticationMethod)Úfilter_users_by_emailÚfilter_users_by_usernamec@sDeZdZdd„Zdd„Zdd„Zdd„Zed d „ƒZed d „ƒZ d S)ÚAuthenticationBackendcKsld}tjtjkr|jdi|¤Ž}|Stjtjkr,|jdi|¤Ž}|s*|jdi|¤Ž}|S|jdi|¤Ž}|S)N©)rÚAUTHENTICATION_METHODrÚEMAILÚ_authenticate_by_emailÚUSERNAME_EMAILÚ_authenticate_by_username)ÚselfÚrequestÚ credentialsÚretr r úT/var/www/ideatree/venv/lib/python3.10/site-packages/allauth/account/auth_backends.pyÚ authenticates  úÿz"AuthenticationBackend.authenticatecKsttj}| d¡}| d¡}tƒ}|r|dus|durdSzt|ƒ ¡}| ||¡r,|WSWdS|jy9YdSw)NÚusernameÚpassword)rÚUSER_MODEL_USERNAME_FIELDÚgetrr Ú_check_passwordÚ DoesNotExist)rrÚusername_fieldrrÚUserÚuserr r rrs    ÿÿz/AuthenticationBackend._authenticate_by_usernamecKs@| d| d¡¡}|rt|ƒD]}| ||d¡r|SqdS)NÚemailrr)rr r)rrr!r r r rr,s ÿz,AuthenticationBackend._authenticate_by_emailcCs*| |¡}|r| |¡}|s| |¡|S©N)Úcheck_passwordÚuser_can_authenticateÚ _stash_user)rr rrr r rr9s   z%AuthenticationBackend._check_passwordcCsttddƒ}|t_|S)a Now, be aware, the following is quite ugly, let me explain: Even if the user credentials match, the authentication can fail because Django's default ModelBackend calls user_can_authenticate(), which checks `is_active`. Now, earlier versions of allauth did not do this and simply returned the user as authenticated, even in case of `is_active=False`. For allauth scope, this does not pose a problem, as these users are properly redirected to an account inactive page. This does pose a problem when the allauth backend is used in a different context where allauth is not responsible for the login. Then, by not checking on `user_can_authenticate()` users will allow to become authenticated whereas according to Django logic this should not be allowed. In order to preserve the allauth behavior while respecting Django's logic, we stash a user for which the password check succeeded but `user_can_authenticate()` failed. In the allauth authentication logic, we can then unstash this user and proceed pointing the user to the account inactive page. r N)ÚgetattrÚ_stashr )Úclsr rr r rr%As z!AuthenticationBackend._stash_usercCs | d¡Sr")r%)r(r r rÚunstash_authenticated_user]s z0AuthenticationBackend.unstash_authenticated_userN) Ú__name__Ú __module__Ú __qualname__rrrrÚ classmethodr%r)r r r rr s   r N) Ú threadingrÚdjango.contrib.auth.backendsrÚutilsrÚrrr r r'r r r r rÚs