Opened 10 years ago

Closed 10 years ago

#2353 closed defect (invalid)

auth doesn't allow direct use of login() (without prior authenticate call)

Reported by: Rhett Garber Owned by: Adrian Holovaty
Component: Contrib apps Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


It would appear that I cannot call login without calling authenticate() because the 'backend' member variable does not exist until you call authenticate.
This seems rather unfriendly at least, but also limiting for no good reason. What if I want to handle authentication myself?

I'm not sure if this is the only place that matters:

django.contrib.auth.__init__ line 53:

request.session[BACKEND_SESSION_KEY] = user.backend

My usage of this is a signup page. I create the user, and I just want to directly log them in my calling login(request, user) on my newly created user object. I would rather not have an extra authenticate() call.

Change History (1)

comment:1 Changed 10 years ago by Malcolm Tredinnick

Resolution: invalid
Status: newclosed

This is not a good idea. The login() method is designed to make the current authorisation token persistent. It assumes the user has already been authorised by passing an authentication phase. That is one reason why we also record which backend they authenticated against, so that we can interact with it later if needs be.

If you want to handle the authentication yourself, then writing your own authentication backend is the solution. If you want to log them in immediately after creating the account, you will have the password and username (if that's what your auth backend needs) at that point and can call authenticate() correctly. But marking a users as logged in without having authenticated them via one of the approved backends with the required credentials would be a security hole (it would let apps work around a site's configured security settings, for example).

Note: See TracTickets for help on using tickets.
Back to Top