#13190 closed (fixed)
Empty settings.AUTHENTICATION_BACKENDS creates hard to trace problem
Reported by: | joel3000 | Owned by: | Gabriel Hurley |
---|---|---|---|
Component: | contrib.auth | Version: | 1.1 |
Severity: | Keywords: | easy-pickings AUTHENTICATION_BACKENDS | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
This is an obscure problem. If in settings.py the AUTHENTICATION_BACKENDS list is empty (i.e. AUTHENTICATION_BACKENDS=()),
then there will be no backends available to authenticate as it will override the django default behavior of using the default auth code.
When this occurs the auth login screen will just return a generic error about invalid username and password that is a pain to trace.
Unfortunately, I don't have time to figure out how to submit this change by the procedure but here is what I suggest to fix it.
In django/contrib/auth/init.py , add this check to get_backends():
def get_backends(): from django.conf import settings backends = [] for backend_path in settings.AUTHENTICATION_BACKENDS: backends.append(load_backend(backend_path)) #### new code start#### if len(backends)==0: raise ImproperlyConfigured, 'settings.AUTHENTICATION_BACKENDS is empty.' #### new code end ##### return backends
It's an obscure problem, but it does seem to violate the "no magic" rule for django, and it tripped me up for a day
having to hunt it down.
Attachments (2)
Change History (14)
comment:1 by , 15 years ago
Has patch: | set |
---|---|
milestone: | → 1.2 |
Owner: | changed from | to
Status: | new → assigned |
comment:2 by , 15 years ago
milestone: | 1.2 |
---|
comment:3 by , 15 years ago
Needs tests: | set |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:4 by , 15 years ago
Needs tests: | unset |
---|
Test added. I'll agree with James Bennett about it not being critical for 1.2. I've certainly never run into this bug myself. It seems like a pretty safe/stable change though... Either way, I've got no stake in it personally.
by , 14 years ago
Attachment: | 13190_empty_auth_backends.diff added |
---|
comment:7 by , 14 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
This patch looks good to me. Marking as RFC.
comment:8 by , 14 years ago
The code really should be changed to use the raise Exception("message")
syntax.
comment:9 by , 14 years ago
Keywords: | easy-pickings added |
---|
comment:10 by , 14 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
This is enough of an edge case (you have to manually clear
AUTHENTICATION_BACKENDS
to trigger it) that it's not 1.2-critical.