Potential regression in expected behavior with UserMixin.is_authenticated defaulting to is_active that was changed in 0.6.0

[nickjj]

Version 0.6.0 has:

• UserMixin.is_authenticated will return whatever is_active returns by default. This prevents inactive users from logging in. Logout inactive user #486, Better UserMixin.is_authenticated default implementation #530

Based on the comments in the above issues, the case for doing this was to prevent inactive users from logging in but an inactive user is not the same as a user who can't authenticate due to invalid credentials. These are much different things.

In 0.5.0 you could do:

    @login_manager.user_loader
    def load_user(uid):
        user = user_model.query.get(uid)

        if not user.is_active():
            login_manager.login_message = 'This account has been disabled.'
            return None

        return user

And then if an inactive user tried to login they would receive a custom flash message. This lets them know they have an account but they've been disabled.

With 0.6.0 this code path doesn't seem to execute because the user gets blocked before they would be loaded so you end up with whatever message you would send to the user when their authentication failed. This is a regression in behavior.

I thought a potential workaround in 0.6.0 would have been to add this to my user model (the default in 0.5.0):

    def is_authenticated(self):
        return True

But this had no effect. I'm still not able to execute the user loader that would have presented a custom flash message.

How can we get the old behavior back where end users of this library can handle inactive users after they've been authenticated?