Opened 6 months ago

Closed 6 months ago

Last modified 6 months ago

#28207 closed Bug (fixed)

contrib.auth.authenticate() doesn't work correctly if multiple auth backends don't accept a position request argument

Reported by: Tamas Szabo Owned by: nobody
Component: contrib.auth Version: 1.11
Severity: Release blocker Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Django 1.11 introduced the new request positional argument for the authenticate method.

Unfortunately, it looks like the implementation has a bug. The credentials parameter received by the function can be mutated to adapt the keyword arguments when calling the backend:

https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L92

However, the variable isn't reset at the top of the loop (like args is) so the following backend(s) will be processed as if request was in the **credentials` dictionary.

As a result both

https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L72
and
https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L77

will always fail with type errors, because the request argument is passed in twice into them.

Change History (8)

comment:1 Changed 6 months ago by Tamas Szabo

comment:2 Changed 6 months ago by Tamas Szabo

PR with extra unit test and proposed fix.

comment:3 Changed 6 months ago by Tim Graham

Component: Core (Management commands)contrib.auth
Has patch: set
Severity: NormalRelease blocker
Summary: Bug in contrib.auth.authenticatecontrib.auth.authenticate() doesn't work correctly if multiple auth backends don't accept a position request argument
Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

comment:4 Changed 6 months ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In 3008f30f:

Fixed #28207 -- Fixed contrib.auth.authenticate() if multiple auth backends don't accept a request.

comment:5 Changed 6 months ago by Tim Graham <timograham@…>

In d945b7e:

[1.11.x] Fixed #28207 -- Fixed contrib.auth.authenticate() if multiple auth backends don't accept a request.

Backport of 3008f30f194af386c354416be4c483f0f6b15f33 from master

comment:6 Changed 6 months ago by Daniel Hahler

This causes a TypeError with Social Auth's Django app.
See https://github.com/django/django/pull/8533.

comment:7 Changed 6 months ago by Tim Graham <timograham@…>

In a3ba2662:

Refs #28207 -- Fixed contrib.auth.authenticate() if 'backend' is in the credentials.

Regression in 3008f30f194af386c354416be4c483f0f6b15f33.

comment:8 Changed 6 months ago by Tim Graham <timograham@…>

In a810f4aa:

[1.11.x] Refs #28207 -- Fixed contrib.auth.authenticate() if 'backend' is in the credentials.

Regression in 3008f30f194af386c354416be4c483f0f6b15f33.

Backport of a3ba2662cdaa36183fdfb8a26dfa157e26fca76a from master

Note: See TracTickets for help on using tickets.
Back to Top