Context Navigation

← Previous Ticket
Next Ticket →

#36200 closed Cleanup/optimization (fixed)

Mention that RemoteUserMiddleware should be replaced when using custom header middleware with RemoteUserBackend

Reported by:	Joonas Häkkinen	Owned by:	Joonas Häkkinen
Component:	Documentation	Version:	5.1
Severity:	Normal	Keywords:	REMOTE_USER, authentication, middleware
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

REMOTE_USER authentication docs at https://docs.djangoproject.com/en/5.1/howto//auth-remote-user/ cover using a custom middleware to read the username from HTTP headers. However, it does not specify that the custom middleware should replace RemoteUserMiddleware rather than be appended to MIDDLEWARE.

This is essentially a small omission and might be clear to experienced Django users. However, at least for me, an experienced web developer but totally new to Django, this was surprising and the resulting CSRF validation failure made me suspect something completely different for two full days. Thus I though that a small mention about replacing instead of appending RemoteUserMiddleware with the custom one would be a reasonable addition to the docs.

I will be opening a PR for this shortly unless you think this is not worth including in the docs.

Change History (8)

comment:1 by Joonas Häkkinen, 2 days ago

Forgot to link the relevant discussion: https://forum.djangoproject.com/t/csrf-fails-when-remoteusermiddleware-is-used-behind-reverse-proxy-without-tls/38929/1

comment:2 by Sarah Boyce, 2 days ago

Triage Stage:	Unreviewed → Accepted
Type:	Uncategorized → Cleanup/optimization

Thank you for the ticket Joonas.
I am happy to review a PR with a small addition here, given this is a how-to doc and there aren't many examples of middleware being overridden in the docs

comment:3 by Joonas Häkkinen, 2 days ago

Has patch:	set

comment:4 by Sarah Boyce, 22 hours ago

Patch needs improvement:	set

comment:5 by Sarah Boyce, 21 hours ago

Patch needs improvement:	unset
Triage Stage:	Accepted → Ready for checkin

comment:6 by Sarah Boyce <42296566+sarahboyce@…>, 19 hours ago

Resolution:	→ fixed
Status:	assigned → closed

In 87c5de3b:

Fixed #36200 -- Clarified MIDDLEWARE setting updates when using a custom RemoteUserMiddleware.

comment:7 by Sarah Boyce <42296566+sarahboyce@…>, 19 hours ago

In aadc5c5:

[5.2.x] Fixed #36200 -- Clarified MIDDLEWARE setting updates when using a custom RemoteUserMiddleware.

Backport of 87c5de3b7f2316aa17353d74f54e6ff19013d049 from main.

comment:8 by Sarah Boyce <42296566+sarahboyce@…>, 19 hours ago

In 914cde19:

[5.1.x] Fixed #36200 -- Clarified MIDDLEWARE setting updates when using a custom RemoteUserMiddleware.

Backport of 87c5de3b7f2316aa17353d74f54e6ff19013d049 from main.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues