When deactivated user tries to log in it displays that credentials are invalid.

[acolazo]

When deactivated user tries to log in it displays that credentials are invalid instead of indicating that the user is deactivated.

Digging into the code the class AuthenticationForm has the following code:

self.user_cache = authenticate(email=email, password=password)
if self.user_cache is None:
    raise forms.ValidationError(
        self.error_messages['invalid_login'],
        code='invalid_login',
        params={'email': self.email_field.verbose_name},
    )
elif not self.user_cache.is_active:
    raise forms.ValidationError(
        self.error_messages['inactive'],
        code='inactive',
    )

It doesn't get to the elif because authenticate returns None when the user is deactivated.

[nstuardod]

Actually, the issue occurs at ModelBackend. It is made to reject deactivated users by default. This is more a feature than a bug, because it hides to external users the fact the account exists.

[acolazo]

The bug is that there is an unreachable block of code to raise an error message that will never occur. The ModelBackend works as intended but the elif block i referenced will never be executed.

The block of code should either be reachable and show the inactive error message, or the elif block should be removed and there shouldn't be an inactive error message.

[nstuardod]

To make it reachable, you need a different backend such as AllowAllUsersModelBackend. The default one won't work. https://docs.djangoproject.com/en/2.2/topics/auth/default/#django.contrib.auth.forms.AuthenticationForm