Opened 12 years ago

Closed 12 years ago

#18998 closed Bug (fixed)

Removing an authentication backend that's cached in a user's session causes exception

Reported by: Bradley Ayers <brad@…> Owned by: jorgebastida
Component: contrib.auth Version: 1.4
Severity: Normal Keywords:
Cc: sunny@… Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

Here's the scenario:

  1. I add a new authentication backend to AUTHENTICATION_BACKENDS.
  2. I deploy the code and a user logs in using that backend, and then logs out.
  3. I decide I want to change the name of the backend, so I do, and update AUTHENTICATION_BACKENDS accordingly.
  4. I deploy the code, and the same user loads the login page again.

On loading the page, an exception will be raised:

Traceback (most recent call last):

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/core/handlers/base.py", line 111, in get_response
 response = callback(request, *callback_args, **callback_kwargs)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/console/base.py", line 105, in wrapped
 result = func(request, *args, **kwargs)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/decorators.py", line 19, in _wrapped_view
 if test_func(request.user):

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/utils/functional.py", line 184, in inner
 self._setup()

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/utils/functional.py", line 248, in _setup
 self._wrapped = self._setupfunc()

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/middleware.py", line 16, in <lambda>
 request.user = SimpleLazyObject(lambda: get_user(request))

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/middleware.py", line 8, in get_user
 request._cached_user = auth.get_user(request)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/__init__.py", line 100, in get_user
 backend = load_backend(backend_path)

 File "/var/www/httpdocs/.env/lib/python2.7/site-packages/django/contrib/auth/__init__.py", line 22, in load_backend
 raise ImproperlyConfigured('Module "%s" does not define a "%s" authentication backend' % (module, attr))

ImproperlyConfigured: Module "project.apps.core.backends" does not define a "EmailOrUsernameModelBackend" authentication backend

EmailOrUsernameModelBackend is the name of the old backend that has been renamed.

Change History (12)

comment:1 by Claude Paroz, 12 years ago

Triage Stage: UnreviewedAccepted

I guess that catching ImproperlyConfigured in addition to KeyError in get_user is the way to go here.

comment:2 by Bradley Ayers <brad@…>, 12 years ago

I think the code that retrieves the auth backend from the session should ensure it's within AUTHENTICATION_BACKENDS. If it's not, treat it as invalid and ignore it.

comment:3 by mhaligowski, 12 years ago

Owner: changed from nobody to mhaligowski

comment:4 by mhaligowski, 12 years ago

Resolution: fixed
Status: newclosed
Triage Stage: AcceptedFixed on a branch

comment:5 by Łukasz Rekucki, 12 years ago

Has patch: set
Triage Stage: Fixed on a branchAccepted

The ticket isn't fixed until a core developer commits the code to the master. You should have just marked the "Has patch" flag. See https://docs.djangoproject.com/en/1.4/internals/contributing/triaging-tickets/#triage-stages for more info :)

comment:6 by mhaligowski, 12 years ago

Ah, I expected so:) Sorry for that and thanks for the info.

comment:7 by Preston Holmes, 12 years ago

Resolution: fixed
Status: closedreopened

We should probably remove the fixed on branch stage

comment:8 by Aymeric Augustin, 12 years ago

Status: reopenednew

comment:9 by jorgebastida, 12 years ago

Owner: changed from mhaligowski to jorgebastida
Status: newassigned

comment:10 by jorgebastida, 12 years ago

In the same way if a user logs in with backend A and then we remove A from AUTHENTICATION_BACKENDS the user will still be log in even if the backend is no longer available in AUTHENTICATION_BACKENDS but the module is.

Will write a patch and send a Pull Request.

Version 0, edited 12 years ago by jorgebastida (next)

comment:11 by jorgebastida, 12 years ago

Triage Stage: AcceptedReady for checkin

comment:12 by Claude Paroz <claude@…>, 12 years ago

Resolution: fixed
Status: assignedclosed

In dc43fbc2f21c12e34e309d0e8a121020391aa03a:

Fixed #18998 - Prevented session crash when auth backend removed

Removing a backend configured in AUTHENTICATION_BACKENDS should not
raise an exception for existing sessions, but should make already
logged-in users disconnect.
Thanks Bradley Ayers for the report.

Note: See TracTickets for help on using tickets.
Back to Top