Opened 15 years ago
Closed 10 years ago
#12148 closed New feature (fixed)
Don't use invalid backend from the Session to load the user in contrib.auth.get_user
Reported by: | Tamas Szabo | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | vlastimil.zima@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
django.contrib.auth saves the backend_path used to authenticate the user in the session.
This works great but when you remove the authorization backend you get an ImproperlyConfigured error.
The error references the old authorization backend so your first instinct is that the problem must be in your settings file.
I've been bitten by this a few times now, sometimes I remember to delete the Sessions manually, other times (like today) I think that my old settings.py must be executed and I go through the pain of deleting directories, redeploying and restarting servers.
I would like to suggest adding a check to the get_user call, that checks if the backend_path saved in the session is still in settings.AUTHORIZATION_BACKENDS.
If it isn't don't try to load it.
Patch for django.contrib.auth.init.py and tests included.
Thanks.
Attachments (2)
Change History (9)
by , 15 years ago
Attachment: | auth_get_user_patch.diff added |
---|
comment:1 by , 15 years ago
Patch needs improvement: | set |
---|---|
Triage Stage: | Unreviewed → Accepted |
by , 15 years ago
Attachment: | auth_get_user_patch_v2.diff added |
---|
comment:2 by , 15 years ago
Added a new version of the patch that moves the tests to contrib/auth/tests/auth_backends.py.
I've also changed the tests to be more similar to the tests already in auth_backends.
comment:3 by , 14 years ago
Cc: | added |
---|
comment:4 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → New feature |
comment:7 by , 10 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
This looks like it has been fixed: https://github.com/django/django/blob/19e6397f82e82438eb3047be0233aa2e555b3a12/django/contrib/auth/__init__.py#L155-L157
Seems sensible. Patch needs updating for trunk (auth backend tests are now in contrib.auth.tests).