Ticket #2550: ticket2550d.diff

django/contrib/auth/__init__.py

@@ -1 @@
-from django.core.exceptions import ImproperlyConfigured
+from django.core.exceptions import ImproperlyConfigured, PermissionDenied
 from django.utils.importlib import import_module
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 
@@ -40 +40 @@
         except TypeError:
             # This backend doesn't accept these credentials as arguments. Try the next one.
             continue
+        except PermissionDenied:
+            # This backend says to stop in our tracks - this user should not be allowed in at all.
+            return None
         if user is None:
             continue
         # Annotate the user object with the path of the backend.

django/contrib/auth/tests/__init__.py

@@ -1 +1 @@
 from django.contrib.auth.tests.auth_backends import (BackendTest,
     RowlevelBackendTest, AnonymousUserBackendTest, NoBackendsTest,
-    InActiveUserBackendTest)
+    InActiveUserBackendTest, PermissionDeniedBackendTest)
 from django.contrib.auth.tests.basic import BasicTestCase
 from django.contrib.auth.tests.context_processors import AuthContextProcessorTests
 from django.contrib.auth.tests.decorators import LoginRequiredTestCase

django/contrib/auth/tests/auth_backends.py

@@ -3 +3 @@
 from django.conf import settings
 from django.contrib.auth.models import User, Group, Permission, AnonymousUser
 from django.contrib.contenttypes.models import ContentType
-from django.core.exceptions import ImproperlyConfigured
+from django.core.exceptions import ImproperlyConfigured, PermissionDenied
+from django.contrib.auth import authenticate
 from django.test import TestCase
 from django.test.utils import override_settings
 
@@ -258 +259 @@
     def test_has_module_perms(self):
         self.assertEqual(self.user1.has_module_perms("app1"), False)
         self.assertEqual(self.user1.has_module_perms("app2"), False)
+
+
+class PermissionDeniedBackend(object):
+    """
+    Always raises PermissionDenied.
+    """
+    supports_object_permissions = True
+    supports_anonymous_user = True
+    supports_inactive_user = True
+
+    def authenticate(self, username=None, password=None):
+        raise PermissionDenied
+
+
+class PermissionDeniedBackendTest(TestCase):
+    """
+    Tests that other backends are not checked once a backend raises PermissionDenied
+    """
+    backend = 'django.contrib.auth.tests.auth_backends.PermissionDeniedBackend'
+
+    def setUp(self):
+        self.user1 = User.objects.create_user('test', 'test@example.com', 'test')
+        self.user1.save()
+
+    @override_settings(AUTHENTICATION_BACKENDS=(backend, ) +
+            tuple(settings.AUTHENTICATION_BACKENDS))
+    def test_permission_denied(self):
+        "user is not authenticated after a backend raises permission denied #2550"
+        self.assertEqual(authenticate(username='test', password='test'), None)
+
+    @override_settings(AUTHENTICATION_BACKENDS=tuple(
+            settings.AUTHENTICATION_BACKENDS) + (backend, ))
+    def test_authenticates(self):
+        self.assertEqual(authenticate(username='test', password='test'), self.user1)

docs/releases/1.5.txt

@@ -111 +111 @@
   argument. By default the batch_size is unlimited except for SQLite where
   single batch is limited so that 999 parameters per query isn't exceeded.
 
+* Authentication backend can raise ``PermissionDenied`` to immediately fail
+  the authentication chain.
+
 Backwards incompatible changes in 1.5
 =====================================
 

docs/topics/auth.txt

@@ -1764 +1764 @@
     you need to force users to re-authenticate using different methods. A simple
     way to do that is simply to execute ``Session.objects.all().delete()``.
 
+.. versionadded:: 1.4
+
+If a backend raises a :class:`~django.core.exceptions.PermissionDenied`
+exception, authentication will immediately fail. Django won't check the backends that follow.
+
+
 Writing an authentication backend
 ---------------------------------