Context Navigation

← Previous Ticket
Next Ticket →

#23925 closed Bug (fixed)

django.contrib.auth.authenticate sets the wrong backend path

Reported by:	sdeprez	Owned by:	sdeprez
Component:	contrib.auth	Version:	1.7
Severity:	Normal	Keywords:
Cc:	sdeprez	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description (last modified by sdeprez)

The django.contrib.auth.authenticate function currently tries to authenticate a user by checking each backend in settings.AUTHENTICATION_BACKENDS, and when it has found one that works, it annotates the user by adding a path attribute that is the path of the backend (as a Python object). However the path is computed based on the __class__ attribute of the backend object, which give the "real" path of the object, and NOT based on the path given by settings.AUTHENTICATION_BACKENDS.

This is problematic beacause they may differ, and thus the later check if backend_path in settings.AUTHENTICATION_BACKENDS in django.contrib.auth.get_user can fail whereas it should not.

Steps to reproduce the bug :

create a custom backend in some module : my_app.my_module_backend.CustomBackend

create another module that imports this module. For instance, it's common practice to import it in the __init__.py file of the package. So, in my_app/__init__.py put from my_app import CustomBackend.

Set AUTHENTICATION_BACKENDS = my_app.CustomBackend

Run django, create an user and try to login. Everything will go fine (no errors), except that you WON'T be logged, because of django.contrib.auth.get_user that will return an AnonymousUser. This can be very painful to track and this can even lead to infinite loops if your LOGIN_REDIRECT_URL is an url that requires login, because the session key will be set but an AnonymousUser is returned.

A pull request is linked which addresses the issue by setting the actual path used in AUTHENTICATION_BACKENDS in the user, without any changes to the working public API. All the tests passed under SQLite.

Change History (8)

comment:1 by sdeprez, 9 years ago

Cc:	sdeprez added
Owner:	changed from nobody to sdeprez
Status:	new → assigned

comment:2 by sdeprez, 9 years ago

Has patch:	unset

comment:3 by sdeprez, 9 years ago

Description:	modified (diff)

comment:4 by Tim Graham, 9 years ago

Has patch:	set
Triage Stage:	Unreviewed → Accepted

comment:5 by Tim Graham, 9 years ago

Patch needs improvement:	set

Comments for improvement are on the PR, please uncheck "Patch needs improvement" when you update it.

comment:6 by sdeprez, 9 years ago

Patch needs improvement:	unset

comment:7 by Tim Graham <timograham@…>, 9 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 9e80c5f457340126adcae375d6de5ee64d6075b9:

Fixed #23925 -- Allowed settings.AUTHENTICATION_BACKENDS to reference import aliases

comment:8 by Tim Graham <timograham@…>, 9 years ago

In 0d5ca7b560dbb827eea625e53e4a6a67c29d7964:

Moved an import in an auth test; refs #23925.

This keeps tests/init.py from importing other modules and may fix a problem
with test discovery revealed in formtools tests on Travis CI.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues