Opened 8 years ago

Closed 4 years ago

#7299 closed Bug (duplicate)

XViewMiddleware raises AttributeError when authentication system is disabled

Reported by: Takanori Ishikawa Owned by: nobody
Component: Core (Other) Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

How to reproduce

  1. Disable django.contrib.auth.middleware.AuthenticationMiddleware in settings.MIDDLEWARE_CLASSES
  2. Disable django.contrib.auth in settings.INSTALLED_APPS
  3. Make sure settings.INTERNAL_IPS is empty.
MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    #'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.middleware.doc.XViewMiddleware',
)

INSTALLED_APPS = (
    #'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.sites',
    'mysite.polls',
)

INTERNAL_IPS = ()
  1. Open url via a HEAD request. (Make sure the corresponding page exists in url.py)
  2. '500 INTERNAL SERVER ERROR' response
% curl --head http://localhost:8000/polls/
HTTP/1.0 500 INTERNAL SERVER ERROR
Date: Fri, 23 May 2008 15:23:53 GMT
Server: WSGIServer/0.1 Python/2.5.2
Content-Type: text/html
  1. So, in the Python traceback, it caused by django.middleware.doc.XViewMiddleware
05-19 05:48AM 48.597 Exception in request: Traceback (most recent call
Exception in request:
Traceback (most recent call last):
  File "/base/data/home/apps/metareal/1.10/django/core/handlers/base.py", line 77, in get_response
    response = middleware_method(request, callback, callback_args, callback_kwargs)
  File "/base/data/home/apps/metareal/1.10/django/middleware/doc.py", line 15, in process_view
    if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (request.user.is_authenticated() and request.user.is_staff)):
AttributeError: 'WSGIRequest' object has no attribute 'user'

My Environment

  • Mac OS X 10.4.11
  • Python 2.5.2
  • Django revision 7547

Patch

Attached patch: django_xview_middleware.diff might fix the problem. It also add testcase for XViewMiddleware.

Attachments (1)

django_xview_middleware.diff (2.6 KB) - added by Takanori Ishikawa 8 years ago.

Download all attachments as: .zip

Change History (10)

Changed 8 years ago by Takanori Ishikawa

comment:1 Changed 8 years ago by James Bennett

Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset
Resolution: wontfix
Status: newclosed

If something has a particular dependency, hiding the dependency and pretending it will still work isn't the correct solution.

comment:2 Changed 8 years ago by Luke Plant

Resolution: wontfix
Status: closedreopened
Triage Stage: UnreviewedDesign decision needed

According to the documentation of the middleware, the auth subsystem is not an absolute dependency. For this middleware to be useful, it needs either a non-empty INTERNAL_IPS or the auth subsystem, just like the xheaders middleware, as ishikawa_takanori pointed out on the mailing list.

Comments, ubernostrum?

comment:3 Changed 8 years ago by royleban@…

I think this is a bug. The code dereferences through a None value and it shouldn't. It occurs for HEAD requests on Google App Engine if you use Google Auth instead of Django auth. The previously attached diff is not correct. The correct fix is the following code:

if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (request.user and request.user.is_authenticated() and request.user.is_staff)):

Change is addition of "request.user and"

comment:4 Changed 8 years ago by royleban@…

One more thing: Taking this statement "For this middleware to be useful, it needs either a non-empty INTERNAL_IPS or the auth subsystem" at face value explains why it's a bug. Since I only need one or the other, the code must not fail if I don't have the auth subsystem. And it does.

comment:5 Changed 7 years ago by Debriter

I run into this problem myself as I'm using my own auth system. I couldn't agree more with royleban.

Has this been committed to the main branch? I'm using django off of Ubuntu 9.04 release and it's not fixed there.

Thanks.

comment:6 Changed 7 years ago by Debriter

Proposed fix (slightly different than royleban's):

if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (hasattr(request, "user") and request.user.is_authenticated() and request.user.is_staff)):

comment:7 Changed 5 years ago by Luke Plant

Severity: Normal
Type: Bug

comment:8 Changed 5 years ago by Alex Gaynor

Easy pickings: unset
Triage Stage: Design decision neededAccepted
UI/UX: unset

Marking as accepted, if it has a dependency it should raise an explicit error about that, not fail on an attribute error.

comment:9 Changed 4 years ago by Claude Paroz

Resolution: duplicate
Status: reopenedclosed

Duplicate of already fixed #14506

Note: See TracTickets for help on using tickets.
Back to Top