request.user cached value does not track request.session change
|Reported by:||Tuttle||Owned by:||nobody|
|Cc:||msopacua||Triage Stage:||Design decision needed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
During the Single-Sign On technique implementation I came to the need of replacing request.session with a new session or just setting request.session = None.
The descriptor in AuthenticationMiddleware nevertheless does not remember the session for which it sets the request._cached_user.
IMHO, the descriptor should cache the session key when it saves the _cached_user and allow _cached_user to be used only when the session key did not unchange.
Currently everyone who changes the session during the request processing HAS to dig into the AuthenticationMiddleware internals and modify the _cached_user to get valid request.user. That's hard to maintain.
I can offer the patch, but would like to get some response first.
Change History (5)
comment:1 Changed 4 years ago by Tuttle
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Type changed from Uncategorized to New feature
comment:2 Changed 3 years ago by msopacua
- Cc msopacua added
- Triage Stage changed from Unreviewed to Design decision needed
comment:3 Changed 3 years ago by aaugustin
- Resolution set to wontfix
- Status changed from new to closed