Code

Opened 8 years ago

Closed 8 years ago

#2353 closed defect (invalid)

auth doesn't allow direct use of login() (without prior authenticate call)

Reported by: rhettg Owned by: adrian
Component: Contrib apps Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

It would appear that I cannot call login without calling authenticate() because the 'backend' member variable does not exist until you call authenticate.
This seems rather unfriendly at least, but also limiting for no good reason. What if I want to handle authentication myself?

I'm not sure if this is the only place that matters:

django.contrib.auth.__init__ line 53:

request.session[BACKEND_SESSION_KEY] = user.backend

My usage of this is a signup page. I create the user, and I just want to directly log them in my calling login(request, user) on my newly created user object. I would rather not have an extra authenticate() call.

Attachments (0)

Change History (1)

comment:1 Changed 8 years ago by mtredinnick

  • Resolution set to invalid
  • Status changed from new to closed

This is not a good idea. The login() method is designed to make the current authorisation token persistent. It assumes the user has already been authorised by passing an authentication phase. That is one reason why we also record which backend they authenticated against, so that we can interact with it later if needs be.

If you want to handle the authentication yourself, then writing your own authentication backend is the solution. If you want to log them in immediately after creating the account, you will have the password and username (if that's what your auth backend needs) at that point and can call authenticate() correctly. But marking a users as logged in without having authenticated them via one of the approved backends with the required credentials would be a security hole (it would let apps work around a site's configured security settings, for example).

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.