Code

Opened 2 years ago

Closed 13 months ago

Last modified 13 months ago

#18265 closed New feature (wontfix)

request.user cached value does not track request.session change

Reported by: Tuttle Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: msopacua Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

During the Single-Sign On technique implementation I came to the need of replacing request.session with a new session or just setting request.session = None.

The descriptor in AuthenticationMiddleware nevertheless does not remember the session for which it sets the request._cached_user.

IMHO, the descriptor should cache the session key when it saves the _cached_user and allow _cached_user to be used only when the session key did not unchange.

Currently everyone who changes the session during the request processing HAS to dig into the AuthenticationMiddleware internals and modify the _cached_user to get valid request.user. That's hard to maintain.

I can offer the patch, but would like to get some response first.

Attachments (0)

Change History (5)

comment:1 Changed 2 years ago by Tuttle

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Type changed from Uncategorized to New feature

comment:2 Changed 22 months ago by msopacua

  • Cc msopacua added
  • Triage Stage changed from Unreviewed to Design decision needed

Submitter will provide patch if feature is considered useful.

comment:3 Changed 13 months ago by aaugustin

  • Resolution set to wontfix
  • Status changed from new to closed

I'm sorry, but if replacing request.session isn't supported. It isn't possible to anticipate the side effects in general. It's up to you to deal with the specific consequences in your project.

comment:4 Changed 13 months ago by Tuttle

Thank you for the answer. I try to understand your position.

In my humble opinion every piece of code maintaining any cached value should be clever enough to track the cached value validity (or at least support such testing). It looks like it's currently the only thing standing in the way of supporting request.session replacing (which IMO is not too shameful technique by itself).

Last edited 13 months ago by Tuttle (previous) (diff)

comment:5 Changed 13 months ago by aaugustin

You can write to django-developers and see if other people would be interested by this change.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.