Code

#18998 closed Bug (fixed)

Removing an authentication backend that's cached in a user's session causes exception

Reported by: Bradley Ayers <brad@…> Owned by: jorgebastida
Component: contrib.auth Version: 1.4
Severity: Normal Keywords:
Cc: sunny@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Here's the scenario:

  1. I add a new authentication backend to AUTHENTICATION_BACKENDS.
  2. I deploy the code and a user logs in using that backend, and then logs out.
  3. I decide I want to change the name of the backend, so I do, and update AUTHENTICATION_BACKENDS accordingly.
  4. I deploy the code, and the same user loads the login page again.

On loading the page, an exception will be raised:

Traceback (most recent call last):

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/core/handlers/base.py", line 111, in get_response
 response = callback(request, *callback_args, **callback_kwargs)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/console/base.py", line 105, in wrapped
 result = func(request, *args, **kwargs)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/decorators.py", line 19, in _wrapped_view
 if test_func(request.user):

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/utils/functional.py", line 184, in inner
 self._setup()

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/utils/functional.py", line 248, in _setup
 self._wrapped = self._setupfunc()

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/middleware.py", line 16, in <lambda>
 request.user = SimpleLazyObject(lambda: get_user(request))

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/middleware.py", line 8, in get_user
 request._cached_user = auth.get_user(request)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/__init__.py", line 100, in get_user
 backend = load_backend(backend_path)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/__init__.py", line 22, in load_backend
 raise ImproperlyConfigured('Module "%s" does not define a "%s" authentication backend' % (module, attr))

ImproperlyConfigured: Module "project.apps.core.backends" does not define a "EmailOrUsernameModelBackend" authentication backend

EmailOrUsernameModelBackend is the name of the old backend that has been renamed.

Attachments (0)

Change History (12)

comment:1 Changed 22 months ago by claudep

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

I guess that catching ImproperlyConfigured in addition to KeyError in get_user is the way to go here.

comment:2 Changed 22 months ago by Bradley Ayers <brad@…>

I think the code that retrieves the auth backend from the session should ensure it's within AUTHENTICATION_BACKENDS. If it's not, treat it as invalid and ignore it.

comment:3 Changed 22 months ago by mhaligowski

  • Owner changed from nobody to mhaligowski

comment:4 Changed 22 months ago by mhaligowski

  • Resolution set to fixed
  • Status changed from new to closed
  • Triage Stage changed from Accepted to Fixed on a branch

comment:5 Changed 22 months ago by lrekucki

  • Has patch set
  • Triage Stage changed from Fixed on a branch to Accepted

The ticket isn't fixed until a core developer commits the code to the master. You should have just marked the "Has patch" flag. See https://docs.djangoproject.com/en/1.4/internals/contributing/triaging-tickets/#triage-stages for more info :)

comment:6 Changed 22 months ago by mhaligowski

Ah, I expected so:) Sorry for that and thanks for the info.

comment:7 Changed 22 months ago by ptone

  • Resolution fixed deleted
  • Status changed from closed to reopened

We should probably remove the fixed on branch stage

comment:8 Changed 16 months ago by aaugustin

  • Status changed from reopened to new

comment:9 Changed 14 months ago by jorgebastida

  • Owner changed from mhaligowski to jorgebastida
  • Status changed from new to assigned

comment:10 Changed 14 months ago by jorgebastida

Last edited 14 months ago by jorgebastida (previous) (diff)

comment:11 Changed 14 months ago by jorgebastida

  • Triage Stage changed from Accepted to Ready for checkin

comment:12 Changed 14 months ago by Claude Paroz <claude@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In dc43fbc2f21c12e34e309d0e8a121020391aa03a:

Fixed #18998 - Prevented session crash when auth backend removed

Removing a backend configured in AUTHENTICATION_BACKENDS should not
raise an exception for existing sessions, but should make already
logged-in users disconnect.
Thanks Bradley Ayers for the report.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.