o Lf@sfddlmZddlmZddlmZddlmZddlmZddl m Z m Z ea Gdd d eZ d S) )local)get_user_model) ModelBackend) app_settings)AuthenticationMethod)filter_users_by_emailfilter_users_by_usernamec@sDeZdZddZddZddZddZed d Zed d Z d S)AuthenticationBackendcKsld}tjtjkr|jdi|}|Stjtjkr,|jdi|}|s*|jdi|}|S|jdi|}|S)N)rAUTHENTICATION_METHODrEMAIL_authenticate_by_emailUSERNAME_EMAIL_authenticate_by_username)selfrequest credentialsretr r ^/var/www/html/humari/django-venv/lib/python3.10/site-packages/allauth/account/auth_backends.py authenticates  z"AuthenticationBackend.authenticatecKstj}|d}|d}t}|r|dus|durdSzt|}Wn|jy6t|YdSw|||r?|SdS)Nusernamepassword)rUSER_MODEL_USERNAME_FIELDgetrr DoesNotExist set_password_check_password)rrusername_fieldrrUseruserr r rrs   z/AuthenticationBackend._authenticate_by_usernamecKsD|d|d}|r t|ddD]}|||dr|SqdS)NemailrT)prefer_verifiedr)rrr)rrr!r r r rr0sz,AuthenticationBackend._authenticate_by_emailcCs*||}|r||}|s|||SN)check_passworduser_can_authenticate _stash_user)rr rrr r rr=s   z%AuthenticationBackend._check_passwordcCsttdd}|t_|S)aNow, be aware, the following is quite ugly, let me explain: Even if the user credentials match, the authentication can fail because Django's default ModelBackend calls user_can_authenticate(), which checks `is_active`. Now, earlier versions of allauth did not do this and simply returned the user as authenticated, even in case of `is_active=False`. For allauth scope, this does not pose a problem, as these users are properly redirected to an account inactive page. This does pose a problem when the allauth backend is used in a different context where allauth is not responsible for the login. Then, by not checking on `user_can_authenticate()` users will allow to become authenticated whereas according to Django logic this should not be allowed. In order to preserve the allauth behavior while respecting Django's logic, we stash a user for which the password check succeeded but `user_can_authenticate()` failed. In the allauth authentication logic, we can then unstash this user and proceed pointing the user to the account inactive page. r N)getattr_stashr )clsr rr r rr&Es z!AuthenticationBackend._stash_usercCs |dSr#)r&)r)r r runstash_authenticated_useras z0AuthenticationBackend.unstash_authenticated_userN) __name__ __module__ __qualname__rrrr classmethodr&r*r r r rr s   r N) threadingrdjango.contrib.authrdjango.contrib.auth.backendsrrrutilsrr r(r r r r rs