Opened 7 years ago

Closed 2 years ago

#7299 closed Bug (duplicate)

XViewMiddleware raises AttributeError when authentication system is disabled

Reported by: ishikawa_takanori Owned by: nobody
Component: Core (Other) Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

How to reproduce

  1. Disable django.contrib.auth.middleware.AuthenticationMiddleware in settings.MIDDLEWARE_CLASSES
  2. Disable django.contrib.auth in settings.INSTALLED_APPS
  3. Make sure settings.INTERNAL_IPS is empty.
MIDDLEWARE_CLASSES = (
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    #'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.middleware.doc.XViewMiddleware',
)

INSTALLED_APPS = (
    #'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.sites',
    'mysite.polls',
)

INTERNAL_IPS = ()
  1. Open url via a HEAD request. (Make sure the corresponding page exists in url.py)
  2. '500 INTERNAL SERVER ERROR' response
% curl --head http://localhost:8000/polls/
HTTP/1.0 500 INTERNAL SERVER ERROR
Date: Fri, 23 May 2008 15:23:53 GMT
Server: WSGIServer/0.1 Python/2.5.2
Content-Type: text/html
  1. So, in the Python traceback, it caused by django.middleware.doc.XViewMiddleware
05-19 05:48AM 48.597 Exception in request: Traceback (most recent call
Exception in request:
Traceback (most recent call last):
  File "/base/data/home/apps/metareal/1.10/django/core/handlers/base.py", line 77, in get_response
    response = middleware_method(request, callback, callback_args, callback_kwargs)
  File "/base/data/home/apps/metareal/1.10/django/middleware/doc.py", line 15, in process_view
    if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (request.user.is_authenticated() and request.user.is_staff)):
AttributeError: 'WSGIRequest' object has no attribute 'user'

My Environment

  • Mac OS X 10.4.11
  • Python 2.5.2
  • Django revision 7547

Patch

Attached patch: django_xview_middleware.diff might fix the problem. It also add testcase for XViewMiddleware.

Attachments (1)

django_xview_middleware.diff (2.6 KB) - added by ishikawa_takanori 7 years ago.

Download all attachments as: .zip

Change History (10)

Changed 7 years ago by ishikawa_takanori

comment:1 Changed 7 years ago by ubernostrum

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to wontfix
  • Status changed from new to closed

If something has a particular dependency, hiding the dependency and pretending it will still work isn't the correct solution.

comment:2 Changed 7 years ago by lukeplant

  • Resolution wontfix deleted
  • Status changed from closed to reopened
  • Triage Stage changed from Unreviewed to Design decision needed

According to the documentation of the middleware, the auth subsystem is not an absolute dependency. For this middleware to be useful, it needs either a non-empty INTERNAL_IPS or the auth subsystem, just like the xheaders middleware, as ishikawa_takanori pointed out on the mailing list.

Comments, ubernostrum?

comment:3 Changed 7 years ago by royleban@…

I think this is a bug. The code dereferences through a None value and it shouldn't. It occurs for HEAD requests on Google App Engine if you use Google Auth instead of Django auth. The previously attached diff is not correct. The correct fix is the following code:

if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (request.user and request.user.is_authenticated() and request.user.is_staff)):

Change is addition of "request.user and"

comment:4 Changed 7 years ago by royleban@…

One more thing: Taking this statement "For this middleware to be useful, it needs either a non-empty INTERNAL_IPS or the auth subsystem" at face value explains why it's a bug. Since I only need one or the other, the code must not fail if I don't have the auth subsystem. And it does.

comment:5 Changed 6 years ago by Debriter

I run into this problem myself as I'm using my own auth system. I couldn't agree more with royleban.

Has this been committed to the main branch? I'm using django off of Ubuntu 9.04 release and it's not fixed there.

Thanks.

comment:6 Changed 6 years ago by Debriter

Proposed fix (slightly different than royleban's):

if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or (hasattr(request, "user") and request.user.is_authenticated() and request.user.is_staff)):

comment:7 Changed 4 years ago by lukeplant

  • Severity set to Normal
  • Type set to Bug

comment:8 Changed 4 years ago by Alex

  • Easy pickings unset
  • Triage Stage changed from Design decision needed to Accepted
  • UI/UX unset

Marking as accepted, if it has a dependency it should raise an explicit error about that, not fail on an attribute error.

comment:9 Changed 2 years ago by claudep

  • Resolution set to duplicate
  • Status changed from reopened to closed

Duplicate of already fixed #14506

Note: See TracTickets for help on using tickets.
Back to Top