Opened 10 years ago

Last modified 10 years ago

#23925 closed Bug

django.contrib.auth.authenticate sets the wrong backend path — at Version 3

Reported by: sdeprez Owned by: sdeprez
Component: contrib.auth Version: 1.7
Severity: Normal Keywords:
Cc: sdeprez Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by sdeprez)

The django.contrib.auth.authenticate function currently tries to authenticate a user by checking each backend in settings.AUTHENTICATION_BACKENDS, and when it has found one that works, it annotates the user by adding a path attribute that is the path of the backend (as a Python object). However the path is computed based on the __class__ attribute of the backend object, which give the "real" path of the object, and NOT based on the path given by settings.AUTHENTICATION_BACKENDS.

This is problematic beacause they may differ, and thus the later check if backend_path in settings.AUTHENTICATION_BACKENDS in django.contrib.auth.get_user can fail whereas it should not.

Steps to reproduce the bug :

  • create a custom backend in some module : my_app.my_module_backend.CustomBackend
  • create another module that imports this module. For instance, it's common practice to import it in the __init__.py file of the package. So, in my_app/__init__.py put from my_app import CustomBackend.
  • Set AUTHENTICATION_BACKENDS = my_app.CustomBackend
  • Run django, create an user and try to login. Everything will go fine (no errors), except that you WON'T be logged, because of django.contrib.auth.get_user that will return an AnonymousUser. This can be very painful to track and this can even lead to infinite loops if your LOGIN_REDIRECT_URL is an url that requires login, because the session key will be set but an AnonymousUser is returned.

A pull request is linked which addresses the issue by setting the actual path used in AUTHENTICATION_BACKENDS in the user, without any changes to the working public API. All the tests passed under SQLite.

Change History (3)

comment:1 by sdeprez, 10 years ago

Cc: sdeprez added
Owner: changed from nobody to sdeprez
Status: newassigned

comment:2 by sdeprez, 10 years ago

Has patch: unset

comment:3 by sdeprez, 10 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top