Opened 2 years ago

Last modified 2 years ago

#20671 new New feature

Custom backend get_user function is assumed to search by primary key

Reported by: elliot.smith91@… Owned by: nobody
Component: contrib.auth Version: 1.5
Severity: Normal Keywords: session, auth, custom
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

https://docs.djangoproject.com/en/1.4/topics/auth/#other-authentication-sources claims that:

The get_user method takes a user_id – which could be a username, database ID or whatever – and returns a User object.

However when using a custom authentication source and functions such as login_required the session would call get_user when needed passing the user primary key (as stored in the session).

As such, either the UserProfile should have a get_identifying_token function which replaces the primary key in the session's _auth_user_id field or the documentation should note that primary key is required when using the session middleware.

Change History (1)

comment:1 Changed 2 years ago by bmispelon

  • Component changed from contrib.sessions to contrib.auth
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted
  • Type changed from Bug to New feature

Hi,

The source of the problem is contrib.auth.login, which has the following line [1]:

request.session[SESSION_KEY] = user.pk

This limitation is somewhat documented, as the documentation states that [2]:

user_id [...] has to be the primary key of your User object

I think it'd be interesting to explore what we could do to lift this limitation (and if not, I agree that it should be documented more prominently).

However, I don't think that the user model is the right place for it.
From my understanding, it's the responsibility of the backend (not the user model) to store in the session whatever it needs to fetch the full user object later on.

[1] https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L84
[2] https://docs.djangoproject.com/en/dev/topics/auth/customizing/#writing-an-authentication-backend

Note: See TracTickets for help on using tickets.
Back to Top