Opened 17 years ago
Closed 12 years ago
#7299 closed Bug (duplicate)
XViewMiddleware raises AttributeError when authentication system is disabled
Reported by: | Takanori Ishikawa | Owned by: | nobody |
---|---|---|---|
Component: | Core (Other) | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
How to reproduce
- Disable
django.contrib.auth.middleware.AuthenticationMiddleware
insettings.MIDDLEWARE_CLASSES
- Disable
django.contrib.auth
insettings.INSTALLED_APPS
- Make sure
settings.INTERNAL_IPS
is empty.
MIDDLEWARE_CLASSES = ( 'django.middleware.common.CommonMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', #'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.middleware.doc.XViewMiddleware', ) INSTALLED_APPS = ( #'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.sites', 'mysite.polls', ) INTERNAL_IPS = ()
- Open url via a HEAD request. (Make sure the corresponding page exists in
url.py
) - '500 INTERNAL SERVER ERROR' response
% curl --head http://localhost:8000/polls/ HTTP/1.0 500 INTERNAL SERVER ERROR Date: Fri, 23 May 2008 15:23:53 GMT Server: WSGIServer/0.1 Python/2.5.2 Content-Type: text/html
- So, in the Python traceback, it caused by
django.middleware.doc.XViewMiddleware
05-19 05:48AM 48.597 Exception in request: Traceback (most recent call Exception in request: Traceback (most recent call last): File "/base/data/home/apps/metareal/1.10/django/core/handlers/base.py", line 77, in get_response response = middleware_method(request, callback, callback_args, callback_kwargs) File "/base/data/home/apps/metareal/1.10/django/middleware/doc.py", line 15, in process_view if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (request.user.is_authenticated() and request.user.is_staff)): AttributeError: 'WSGIRequest' object has no attribute 'user'
My Environment
- Mac OS X 10.4.11
- Python 2.5.2
- Django revision 7547
Patch
Attached patch: django_xview_middleware.diff
might fix the problem. It also add testcase for XViewMiddleware.
Attachments (1)
Change History (10)
by , 17 years ago
Attachment: | django_xview_middleware.diff added |
---|
comment:1 by , 17 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:2 by , 17 years ago
Resolution: | wontfix |
---|---|
Status: | closed → reopened |
Triage Stage: | Unreviewed → Design decision needed |
According to the documentation of the middleware, the auth subsystem is not an absolute dependency. For this middleware to be useful, it needs either a non-empty INTERNAL_IPS or the auth subsystem, just like the xheaders middleware, as ishikawa_takanori pointed out on the mailing list.
Comments, ubernostrum?
comment:3 by , 16 years ago
I think this is a bug. The code dereferences through a None value and it shouldn't. It occurs for HEAD requests on Google App Engine if you use Google Auth instead of Django auth. The previously attached diff is not correct. The correct fix is the following code:
if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (request.user and request.user.is_authenticated() and request.user.is_staff)):
Change is addition of "request.user and"
comment:4 by , 16 years ago
One more thing: Taking this statement "For this middleware to be useful, it needs either a non-empty INTERNAL_IPS or the auth subsystem" at face value explains why it's a bug. Since I only need one or the other, the code must not fail if I don't have the auth subsystem. And it does.
comment:5 by , 15 years ago
I run into this problem myself as I'm using my own auth system. I couldn't agree more with royleban.
Has this been committed to the main branch? I'm using django off of Ubuntu 9.04 release and it's not fixed there.
Thanks.
comment:6 by , 15 years ago
Proposed fix (slightly different than royleban's):
if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (hasattr(request, "user") and request.user.is_authenticated() and request.user.is_staff)):
comment:7 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → Bug |
comment:8 by , 13 years ago
Easy pickings: | unset |
---|---|
Triage Stage: | Design decision needed → Accepted |
UI/UX: | unset |
Marking as accepted, if it has a dependency it should raise an explicit error about that, not fail on an attribute error.
comment:9 by , 12 years ago
Resolution: | → duplicate |
---|---|
Status: | reopened → closed |
Duplicate of already fixed #14506
If something has a particular dependency, hiding the dependency and pretending it will still work isn't the correct solution.