22

Our Django deployment checks every night which active users can still be found in out LDAP directory. If they cannot be found anymore, we set them to inactive. If they try to login next time, this will fail. Here is our code that does this:

def synchronize_users_with_ad(sender, **kwargs):
    """Signal listener which synchronises all active users without a usable
    password against the LDAP directory.  If a user cannot be
    found anymore, he or she is set to “inactive”.
    """
    ldap_connection = LDAPConnection()
    for user in User.objects.filter(is_active=True):
        if not user.has_usable_password() and not existing_in_ldap(user):
            user.is_active = user.is_staff = user.is_superuser = False
            user.save()
            user.groups.clear()
            user.user_permissions.clear()

maintain.connect(synchronize_users_with_ad)

But if they are still logged in, this session(s) is/are still working. How can we make them invalid immediately? All settings of the session middleware are default values.

Torsten Bronger
  • 9,899
  • 7
  • 34
  • 41
  • This should be marked a duplicate of http://stackoverflow.com/questions/953879/how-to-force-user-logout-in-django In particular, I found an answer for me there. – Torsten Bronger Aug 13 '14 at 05:52

3 Answers3

32

You can log them out using

from django.contrib.auth import logout

if <your authentication validation logic>:
    logout(request)

... from within any view.

logout() Django docs here.

Paolo
  • 20,112
  • 21
  • 72
  • 113
  • 1
    `from django.contrib.auth import logout` as well – C.B. Aug 11 '14 at 20:23
  • This doesn't seem to answer the question. OP appears to want a way to manually log users out immediately (which would probably involve some kind of session manipulation, if it's possible at all). – Daniel Roseman Aug 11 '14 at 20:31
  • 3
    Even if you don't log the users off immediately, they get logged off as soon as they try to access any view or the views in which the check is performed and invalid users are `logout()`. –  Aug 11 '14 at 20:33
  • I added a code snippet to explain more exactly what we are doing. As you can see, we have no `request` object. – Torsten Bronger Aug 12 '14 at 04:18
  • At least setting a user to inactive does not prevent him or her from still using the site. I could still walk around while being inactive. The Revoked permissions may impose a certain limitation but that's all. – Torsten Bronger Aug 12 '14 at 04:23
1

In addition to the login_required decorator, you could use the user_passes_test decorator to test if the user is still active.

from django.contrib.auth import user_passes_test

def is_user_active(user):
    return user.is_active

@user_passes_test(is_user_active, login_url='/your_login')
def your_function(request):
    ....
klasske
  • 2,164
  • 1
  • 24
  • 31
  • 3
    Thank you, I didn't know this decorator and it may be useful to me someday. However, cluttering 60.000 LOC with this decorator exactly fails to fill me with enthusiasm. ;-) What would help, for example, is a `logout(user)` function. – Torsten Bronger Aug 12 '14 at 17:28
1

You can use a session backend that lets you query and get the sessions of a specific user. In these session backends, Session has a foreign key to User, so you can query sessions easily:

Using these backends, deleting all sessions of a user can be done in a single line of code:

# log-out a user
user.session_set.all().delete()

Disclaimer: I am the author of django-qsessions.

Mohammad Javad Naderi
  • 486
  • 1
  • 4
  • 14