Opened 12 years ago
Closed 12 years ago
#19337 closed Bug (duplicate)
Authentication backend iteration should not rely on TypeError for detection
| Reported by: | Ruy Asan | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This line here is the problem area. Basically it means that if at any point during the authentication process a TypeError is raised (which is not exactly unlikely) django will simply eat that error, attempt to authenticate, mysteriously fail to to do so and then give the exasperated developer few clues as to why authentication didn't actually happen despite the lack of log messages or exceptions claiming otherwise.
Relying on such generic exceptions for what basically amounts to flow control (in essence all we're trying to do here is allow the backend to signal to django that it doesn't support these credentials) is, IMHO, asking for trouble.
Why can't we simply rely on returning None (as is already the case) or perhaps an explicit value or exception?
Yes this would be a backwards incompatible change but it can be stretched over several releases and warned against using deprecation messages as with other such changes.
Yes, this is a valid concern, but it is already reported in #18171.