Opened 7 years ago

Last modified 7 years ago

#20671 new New feature

Custom backend get_user function is assumed to search by primary key

Reported by: elliot.smith91@… Owned by: nobody
Component: contrib.auth Version: 1.5
Severity: Normal Keywords: session, auth, custom
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description claims that:

The get_user method takes a user_id – which could be a username, database ID or whatever – and returns a User object.

However when using a custom authentication source and functions such as login_required the session would call get_user when needed passing the user primary key (as stored in the session).

As such, either the UserProfile should have a get_identifying_token function which replaces the primary key in the session's _auth_user_id field or the documentation should note that primary key is required when using the session middleware.

Change History (1)

comment:1 Changed 7 years ago by Baptiste Mispelon

Component: contrib.sessionscontrib.auth
Triage Stage: UnreviewedAccepted
Type: BugNew feature


The source of the problem is contrib.auth.login, which has the following line [1]:

request.session[SESSION_KEY] =

This limitation is somewhat documented, as the documentation states that [2]:

user_id [...] has to be the primary key of your User object

I think it'd be interesting to explore what we could do to lift this limitation (and if not, I agree that it should be documented more prominently).

However, I don't think that the user model is the right place for it.
From my understanding, it's the responsibility of the backend (not the user model) to store in the session whatever it needs to fetch the full user object later on.


Note: See TracTickets for help on using tickets.
Back to Top