Opened 10 years ago
Last modified 10 years ago
#23925 closed Bug
django.contrib.auth.authenticate sets the wrong backend path — at Version 3
Reported by: | sdeprez | Owned by: | sdeprez |
---|---|---|---|
Component: | contrib.auth | Version: | 1.7 |
Severity: | Normal | Keywords: | |
Cc: | sdeprez | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
The django.contrib.auth.authenticate
function currently tries to authenticate a user by checking each backend in settings.AUTHENTICATION_BACKENDS
, and when it has found one that works, it annotates the user by adding a path
attribute that is the path of the backend (as a Python object). However the path is computed based on the __class__
attribute of the backend object, which give the "real" path of the object, and NOT based on the path given by settings.AUTHENTICATION_BACKENDS
.
This is problematic beacause they may differ, and thus the later check if backend_path in settings.AUTHENTICATION_BACKENDS
in django.contrib.auth.get_user
can fail whereas it should not.
Steps to reproduce the bug :
- create a custom backend in some module :
my_app.my_module_backend.CustomBackend
- create another module that imports this module. For instance, it's common practice to import it in the
__init__.py
file of the package. So, inmy_app/__init__.py
putfrom my_app import CustomBackend
.
- Set
AUTHENTICATION_BACKENDS = my_app.CustomBackend
- Run django, create an user and try to login. Everything will go fine (no errors), except that you WON'T be logged, because of
django.contrib.auth.get_user
that will return an AnonymousUser. This can be very painful to track and this can even lead to infinite loops if yourLOGIN_REDIRECT_URL
is an url that requires login, because the session key will be set but anAnonymousUser
is returned.
A pull request is linked which addresses the issue by setting the actual path used in AUTHENTICATION_BACKENDS
in the user, without any changes to the working public API. All the tests passed under SQLite.
Change History (3)
comment:1 by , 10 years ago
Cc: | added |
---|---|
Owner: | changed from | to
Status: | new → assigned |
comment:2 by , 10 years ago
Has patch: | unset |
---|
comment:3 by , 10 years ago
Description: | modified (diff) |
---|