Code

Opened 10 months ago

Last modified 10 months ago

#20671 new New feature

Custom backend get_user function is assumed to search by primary key

Reported by: elliot.smith91@… Owned by: nobody
Component: contrib.auth Version: 1.5
Severity: Normal Keywords: session, auth, custom
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

https://docs.djangoproject.com/en/1.4/topics/auth/#other-authentication-sources claims that:

The get_user method takes a user_id – which could be a username, database ID or whatever – and returns a User object.

However when using a custom authentication source and functions such as login_required the session would call get_user when needed passing the user primary key (as stored in the session).

As such, either the UserProfile should have a get_identifying_token function which replaces the primary key in the session's _auth_user_id field or the documentation should note that primary key is required when using the session middleware.

Attachments (0)

Change History (1)

comment:1 Changed 10 months ago by bmispelon

  • Component changed from contrib.sessions to contrib.auth
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted
  • Type changed from Bug to New feature

Hi,

The source of the problem is contrib.auth.login, which has the following line [1]:

request.session[SESSION_KEY] = user.pk

This limitation is somewhat documented, as the documentation states that [2]:

user_id [...] has to be the primary key of your User object

I think it'd be interesting to explore what we could do to lift this limitation (and if not, I agree that it should be documented more prominently).

However, I don't think that the user model is the right place for it.
From my understanding, it's the responsibility of the backend (not the user model) to store in the session whatever it needs to fetch the full user object later on.

[1] https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L84
[2] https://docs.djangoproject.com/en/dev/topics/auth/customizing/#writing-an-authentication-backend

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as new
The owner will be changed from nobody to anonymous. Next status will be 'assigned'
as The resolution will be set. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.