#28207 closed Bug (fixed)
contrib.auth.authenticate() doesn't work correctly if multiple auth backends don't accept a position request argument
| Reported by: | Tamas Szabo | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.11 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Django 1.11 introduced the new request positional argument for the authenticate method.
Unfortunately, it looks like the implementation has a bug. The credentials parameter received by the function can be mutated to adapt the keyword arguments when calling the backend:
https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L92
However, the variable isn't reset at the top of the loop (like args is) so the following backend(s) will be processed as if request was in the **credentials` dictionary.
As a result both
https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L72
and
https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L77
will always fail with type errors, because the request argument is passed in twice into them.
Change History (8)
comment:1 by , 7 years ago
comment:3 by , 7 years ago
| Component: | Core (Management commands) → contrib.auth |
|---|---|
| Has patch: | set |
| Severity: | Normal → Release blocker |
| Summary: | Bug in contrib.auth.authenticate → contrib.auth.authenticate() doesn't work correctly if multiple auth backends don't accept a position request argument |
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Bug |
comment:6 by , 7 years ago
This causes a TypeError with Social Auth's Django app.
See https://github.com/django/django/pull/8533.
Test that fails because of the bug described:
https://github.com/sztamas/django/commit/74cc4d6cce6d83d72392ba5b371e004746e59c66