django.contrib.auth.authenticate sets the wrong backend path
The django.contrib.auth.authenticate
function currently tries to authenticate a user by checking each backend in settings.AUTHENTICATION_BACKENDS
, and when it has found one that works, it annotates the user by adding a path
attribute that is the path of the backend (as a Python object). However the path is computed based on the __class__
attribute of the backend object, which give the "real" path of the object, and NOT based on the path given by settings.AUTHENTICATION_BACKENDS
.
This is problematic beacause they may differ, and thus the later check if backend_path in settings.AUTHENTICATION_BACKENDS
in django.contrib.auth.get_user
can fail whereas it should not.
Steps to reproduce the bug :
- create a custom backend in some module :
my_app.my_module_backend.CustomBackend
- create another module that imports this module. For instance, it's common practice to import it in the
__init__.py
file of the package. So, in my_app/__init__.py
put from my_app import CustomBackend
.
- Set
AUTHENTICATION_BACKENDS = my_app.CustomBackend
- Run django, create an user and try to login. Everything will go fine (no errors), except that you WON'T be logged, because of
django.contrib.auth.get_user
that will return an AnonymousUser. This can be very painful to track and this can even lead to infinite loops if your LOGIN_REDIRECT_URL
is an url that requires login, because the session key will be set but an AnonymousUser
is returned.
A pull request is linked which addresses the issue by setting the actual path used in AUTHENTICATION_BACKENDS
in the user, without any changes to the working public API. All the tests passed under SQLite.
Change History
(8)
Cc: |
sdeprez added
|
Owner: |
changed from nobody to sdeprez
|
Status: |
new → assigned
|
Description: |
modified (diff)
|
Has patch: |
set
|
Triage Stage: |
Unreviewed → Accepted
|
Patch needs improvement: |
set
|
Patch needs improvement: |
unset
|
Resolution: |
→ fixed
|
Status: |
assigned → closed
|
Comments for improvement are on the PR, please uncheck "Patch needs improvement" when you update it.