Custom backend get_user function is assumed to search by primary key

[elliot.smith91@…]

​https://docs.djangoproject.com/en/1.4/topics/auth/#other-authentication-sources claims that:

The get_user method takes a user_id – which could be a username, database ID or whatever – and returns a User object.

However when using a custom authentication source and functions such as login_required the session would call get_user when needed passing the user primary key (as stored in the session).

As such, either the UserProfile should have a get_identifying_token function which replaces the primary key in the session's _auth_user_id field or the documentation should note that primary key is required when using the session middleware.

[Baptiste Mispelon]

Hi,

The source of the problem is contrib.auth.login, which has the following line [1]:

request.session[SESSION_KEY] = user.pk

This limitation is somewhat documented, as the documentation states that [2]:

user_id [...] has to be the primary key of your User object

I think it'd be interesting to explore what we could do to lift this limitation (and if not, I agree that it should be documented more prominently).

However, I don't think that the user model is the right place for it.
From my understanding, it's the responsibility of the backend (not the user model) to store in the session whatever it needs to fetch the full user object later on.

[1] ​https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L84
[2] ​https://docs.djangoproject.com/en/dev/topics/auth/customizing/#writing-an-authentication-backend