Opened 18 years ago
Closed 18 years ago
#2353 closed defect (invalid)
auth doesn't allow direct use of login() (without prior authenticate call)
Reported by: | Rhett Garber | Owned by: | Adrian Holovaty |
---|---|---|---|
Component: | Contrib apps | Version: | |
Severity: | normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
It would appear that I cannot call login without calling authenticate() because the 'backend' member variable does not exist until you call authenticate.
This seems rather unfriendly at least, but also limiting for no good reason. What if I want to handle authentication myself?
I'm not sure if this is the only place that matters:
django.contrib.auth.__init__ line 53: request.session[BACKEND_SESSION_KEY] = user.backend
My usage of this is a signup page. I create the user, and I just want to directly log them in my calling login(request, user) on my newly created user object. I would rather not have an extra authenticate() call.
This is not a good idea. The
login()
method is designed to make the current authorisation token persistent. It assumes the user has already been authorised by passing an authentication phase. That is one reason why we also record which backend they authenticated against, so that we can interact with it later if needs be.If you want to handle the authentication yourself, then writing your own authentication backend is the solution. If you want to log them in immediately after creating the account, you will have the password and username (if that's what your auth backend needs) at that point and can call
authenticate()
correctly. But marking a users as logged in without having authenticated them via one of the approved backends with the required credentials would be a security hole (it would let apps work around a site's configured security settings, for example).