XViewMiddleware raises AttributeError when authentication system is disabled

[Takanori Ishikawa]

How to reproduce

1. Disable django.contrib.auth.middleware.AuthenticationMiddleware in settings.MIDDLEWARE_CLASSES
2. Disable django.contrib.auth in settings.INSTALLED_APPS
3. Make sure settings.INTERNAL_IPS is empty.

MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    #'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.middleware.doc.XViewMiddleware',
)

INSTALLED_APPS = (
    #'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.sites',
    'mysite.polls',
)

INTERNAL_IPS = ()

4. Open url via a HEAD request. (Make sure the corresponding page exists in url.py)
5. '500 INTERNAL SERVER ERROR' response

% curl --head http://localhost:8000/polls/
HTTP/1.0 500 INTERNAL SERVER ERROR
Date: Fri, 23 May 2008 15:23:53 GMT
Server: WSGIServer/0.1 Python/2.5.2
Content-Type: text/html

6. So, in the Python traceback, it caused by django.middleware.doc.XViewMiddleware

05-19 05:48AM 48.597 Exception in request: Traceback (most recent call
Exception in request:
Traceback (most recent call last):
  File "/base/data/home/apps/metareal/1.10/django/core/handlers/base.py", line 77, in get_response
    response = middleware_method(request, callback, callback_args, callback_kwargs)
  File "/base/data/home/apps/metareal/1.10/django/middleware/doc.py", line 15, in process_view
    if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (request.user.is_authenticated() and request.user.is_staff)):
AttributeError: 'WSGIRequest' object has no attribute 'user'

My Environment

• Mac OS X 10.4.11
• Python 2.5.2
• Django revision 7547

Patch

Attached patch: django_xview_middleware.diff might fix the problem. It also add testcase for XViewMiddleware.

[James Bennett]

If something has a particular dependency, hiding the dependency and pretending it will still work isn't the correct solution.

[Luke Plant]

According to the documentation of the middleware, the auth subsystem is not an absolute dependency. For this middleware to be useful, it needs either a non-empty INTERNAL_IPS or the auth subsystem, just like the xheaders middleware, as ishikawa_takanori pointed out on the mailing list.

Comments, ubernostrum?

[royleban@…]

I think this is a bug. The code dereferences through a None value and it shouldn't. It occurs for HEAD requests on Google App Engine if you use Google Auth instead of Django auth. The previously attached diff is not correct. The correct fix is the following code:

if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (request.user and request.user.is_authenticated() and request.user.is_staff)):

Change is addition of "request.user and"

[royleban@…]

One more thing: Taking this statement "For this middleware to be useful, it needs either a non-empty INTERNAL_IPS or the auth subsystem" at face value explains why it's a bug. Since I only need one or the other, the code must not fail if I don't have the auth subsystem. And it does.

[Debriter]

I run into this problem myself as I'm using my own auth system. I couldn't agree more with royleban.

Has this been committed to the main branch? I'm using django off of Ubuntu 9.04 release and it's not fixed there.

Thanks.

[Debriter]

Proposed fix (slightly different than royleban's):

if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (hasattr(request, "user") and request.user.is_authenticated() and request.user.is_staff)):

[Alex Gaynor]

Marking as accepted, if it has a dependency it should raise an explicit error about that, not fail on an attribute error.

[Claude Paroz]

Duplicate of already fixed #14506