Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#23925 closed Bug (fixed)

django.contrib.auth.authenticate sets the wrong backend path

Reported by: sdeprez Owned by: sdeprez
Component: contrib.auth Version: 1.7
Severity: Normal Keywords:
Cc: sdeprez Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by sdeprez)

The django.contrib.auth.authenticate function currently tries to authenticate a user by checking each backend in settings.AUTHENTICATION_BACKENDS, and when it has found one that works, it annotates the user by adding a path attribute that is the path of the backend (as a Python object). However the path is computed based on the __class__ attribute of the backend object, which give the "real" path of the object, and NOT based on the path given by settings.AUTHENTICATION_BACKENDS.

This is problematic beacause they may differ, and thus the later check if backend_path in settings.AUTHENTICATION_BACKENDS in django.contrib.auth.get_user can fail whereas it should not.

Steps to reproduce the bug :

  • create a custom backend in some module : my_app.my_module_backend.CustomBackend
  • create another module that imports this module. For instance, it's common practice to import it in the __init__.py file of the package. So, in my_app/__init__.py put from my_app import CustomBackend.
  • Set AUTHENTICATION_BACKENDS = my_app.CustomBackend
  • Run django, create an user and try to login. Everything will go fine (no errors), except that you WON'T be logged, because of django.contrib.auth.get_user that will return an AnonymousUser. This can be very painful to track and this can even lead to infinite loops if your LOGIN_REDIRECT_URL is an url that requires login, because the session key will be set but an AnonymousUser is returned.

A pull request is linked which addresses the issue by setting the actual path used in AUTHENTICATION_BACKENDS in the user, without any changes to the working public API. All the tests passed under SQLite.

Change History (8)

comment:1 by sdeprez, 10 years ago

Cc: sdeprez added
Owner: changed from nobody to sdeprez
Status: newassigned

comment:2 by sdeprez, 10 years ago

Has patch: unset

comment:3 by sdeprez, 10 years ago

Description: modified (diff)

comment:4 by Tim Graham, 10 years ago

Has patch: set
Triage Stage: UnreviewedAccepted

comment:5 by Tim Graham, 10 years ago

Patch needs improvement: set

Comments for improvement are on the PR, please uncheck "Patch needs improvement" when you update it.

comment:6 by sdeprez, 10 years ago

Patch needs improvement: unset

comment:7 by Tim Graham <timograham@…>, 10 years ago

Resolution: fixed
Status: assignedclosed

In 9e80c5f457340126adcae375d6de5ee64d6075b9:

Fixed #23925 -- Allowed settings.AUTHENTICATION_BACKENDS to reference import aliases

comment:8 by Tim Graham <timograham@…>, 10 years ago

In 0d5ca7b560dbb827eea625e53e4a6a67c29d7964:

Moved an import in an auth test; refs #23925.

This keeps tests/init.py from importing other modules and may fix a problem
with test discovery revealed in formtools tests on Travis CI.

Note: See TracTickets for help on using tickets.
Back to Top