#1488 closed defect (fixed)
[magic-removal][patch] request.user proxy object gives read-only attributes
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Core (Other) | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The lazy loading request.user proxy object gives read-only access to user attributes. Attached patch allows setting attributes on request.user
Attachments (3)
Change History (10)
by , 18 years ago
| Attachment: | auth_middleware_fix.diff added |
|---|
by , 18 years ago
| Attachment: | auth_middleware_fix.2.diff added |
|---|
auth middleware fix permits setting attributes on request.use
by , 18 years ago
| Attachment: | auth_middleware_fix.3.diff added |
|---|
_actual_ patch, ignore first two files
comment:1 by , 18 years ago
Reassigning request.__class__ attribute feels really wrong to me. However, this works, and the current implementation doesn't... at least not like it should. I don't have any ideas other than using properties on the request object like it was before. Is de-coupling worth the __class__ hack in this case? Is there another way to do this?
comment:2 by , 18 years ago
Both the current magic-removal behavior *and* this patch are problematic in that they access request.session for every request. That should be lazy in itself. I'm working on it...
comment:3 by , 18 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:4 by , 18 years ago
Note that my solution accomplished it by doing this:
request.__class__.user = LazyUser(request.session)
That's hackish as well, because it changes the class instead of the instance. I couldn't get per-instance descriptors to work. Maybe this discussion can help us come up with a cleaner solution.
comment:6 by , 18 years ago
Hi Adrian,
Good point about session access needing to be lazy too - should have thought of that.
Note that in my patch the descriptor binds the user to the instance - this way the descriptor is only called the first time the user attribute is accessed because instance.__dict__ has priority over "non-data" descriptors.
The last version of my patch does actually do per-instance descriptors by dynamically creating a new subclass for each instance (this was an Alex Martelli trick I found somewhere in c.l.p.) but I have just timed it and unfortunately class creation is slow (it takes about 30 times as long).
Also note that there is a stray import of SESSION_KEY still in there.
comment:7 by , 18 years ago
Thanks for the info -- and for the heads-up about the stray import. Fixed in [2592].
auth middleware fix permits setting attributes on request.use