Opened 16 years ago

Closed 11 years ago

#7299 closed Bug (duplicate)

XViewMiddleware raises AttributeError when authentication system is disabled

Reported by: Takanori Ishikawa Owned by: nobody
Component: Core (Other) Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

How to reproduce

  1. Disable django.contrib.auth.middleware.AuthenticationMiddleware in settings.MIDDLEWARE_CLASSES
  2. Disable django.contrib.auth in settings.INSTALLED_APPS
  3. Make sure settings.INTERNAL_IPS is empty.
MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    #'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.middleware.doc.XViewMiddleware',
)

INSTALLED_APPS = (
    #'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.sites',
    'mysite.polls',
)

INTERNAL_IPS = ()
  1. Open url via a HEAD request. (Make sure the corresponding page exists in url.py)
  2. '500 INTERNAL SERVER ERROR' response
% curl --head http://localhost:8000/polls/
HTTP/1.0 500 INTERNAL SERVER ERROR
Date: Fri, 23 May 2008 15:23:53 GMT
Server: WSGIServer/0.1 Python/2.5.2
Content-Type: text/html
  1. So, in the Python traceback, it caused by django.middleware.doc.XViewMiddleware
05-19 05:48AM 48.597 Exception in request: Traceback (most recent call
Exception in request:
Traceback (most recent call last):
  File "/base/data/home/apps/metareal/1.10/django/core/handlers/base.py", line 77, in get_response
    response = middleware_method(request, callback, callback_args, callback_kwargs)
  File "/base/data/home/apps/metareal/1.10/django/middleware/doc.py", line 15, in process_view
    if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (request.user.is_authenticated() and request.user.is_staff)):
AttributeError: 'WSGIRequest' object has no attribute 'user'

My Environment

  • Mac OS X 10.4.11
  • Python 2.5.2
  • Django revision 7547

Patch

Attached patch: django_xview_middleware.diff might fix the problem. It also add testcase for XViewMiddleware.

Attachments (1)

django_xview_middleware.diff (2.6 KB ) - added by Takanori Ishikawa 16 years ago.

Download all attachments as: .zip

Change History (10)

by Takanori Ishikawa, 16 years ago

comment:1 by James Bennett, 16 years ago

Resolution: wontfix
Status: newclosed

If something has a particular dependency, hiding the dependency and pretending it will still work isn't the correct solution.

comment:2 by Luke Plant, 16 years ago

Resolution: wontfix
Status: closedreopened
Triage Stage: UnreviewedDesign decision needed

According to the documentation of the middleware, the auth subsystem is not an absolute dependency. For this middleware to be useful, it needs either a non-empty INTERNAL_IPS or the auth subsystem, just like the xheaders middleware, as ishikawa_takanori pointed out on the mailing list.

Comments, ubernostrum?

comment:3 by royleban@…, 15 years ago

I think this is a bug. The code dereferences through a None value and it shouldn't. It occurs for HEAD requests on Google App Engine if you use Google Auth instead of Django auth. The previously attached diff is not correct. The correct fix is the following code:

if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (request.user and request.user.is_authenticated() and request.user.is_staff)):

Change is addition of "request.user and"

comment:4 by royleban@…, 15 years ago

One more thing: Taking this statement "For this middleware to be useful, it needs either a non-empty INTERNAL_IPS or the auth subsystem" at face value explains why it's a bug. Since I only need one or the other, the code must not fail if I don't have the auth subsystem. And it does.

comment:5 by Debriter, 15 years ago

I run into this problem myself as I'm using my own auth system. I couldn't agree more with royleban.

Has this been committed to the main branch? I'm using django off of Ubuntu 9.04 release and it's not fixed there.

Thanks.

comment:6 by Debriter, 15 years ago

Proposed fix (slightly different than royleban's):

if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (hasattr(request, "user") and request.user.is_authenticated() and request.user.is_staff)):

comment:7 by Luke Plant, 13 years ago

Severity: Normal
Type: Bug

comment:8 by Alex Gaynor, 13 years ago

Easy pickings: unset
Triage Stage: Design decision neededAccepted
UI/UX: unset

Marking as accepted, if it has a dependency it should raise an explicit error about that, not fail on an attribute error.

comment:9 by Claude Paroz, 11 years ago

Resolution: duplicate
Status: reopenedclosed

Duplicate of already fixed #14506

Note: See TracTickets for help on using tickets.
Back to Top