Unexpected request.user when using @api_view with django_auth_ldap

114 views
Skip to first unread message

Denis Nesterov

unread,
Aug 31, 2021, 5:54:18 PM8/31/21
to Django REST framework
Hey everyone.

I've stumbled on some unexpected behavior of @api_view decorator when working with LDAP authentication backend of django_auth_ldap. When I try to address request.user it returns as AnonymousUser.
Functions without @api_view against ldap users work as expected and @api_view against local users works fine as well. Also, when using rest_framework.permissions.IsAuthenticated it returns true even though request.user.is_authenticated returns false.

For example:
@api_view(['GET'])
def api(request):
    if request.user.is_authenticated:
        test_json = {
            'Is authenticated':str(request.user)
        }
    else:
        test_json = {
            'Not authenticated':{
                'user': str(request.user),
                'request_isauth': request.user.is_authenticated,
                'rest_isauth':bool(IsAuthenticated),
                'username': request.user.username,
            }
        }
    return Response(test_json)

When called from under authenticated ldap user it produces following results:
{ "Not authenticated": { "user": "AnonymousUser", "request_isauth": false, "rest_isauth": true, "username": "" } }

versions are:
Django==3.2.6
django-auth-ldap==3.0.0
djangorestframework==3.12.4

I'm not sure if I should report it as an issue for this project or ldap one.
Meanwhile I could use an advise on a workaround. Unfortunately IsAuthenticated is not enough for me. I also need to check user's superuser status and group membership.

Thanks,
Denis


Fernando Hernandez de la Cruz

unread,
Aug 31, 2021, 6:20:40 PM8/31/21
to django-res...@googlegroups.com
Hi!

I recommend Django Rest Framework and using Rest APIs to validations with a token, the question is ¿how know if a user is authenticated?

The validation recommendation is to check the token and know that the user is authenticated...

____________________________________
FERNANDO HERNÁNDEZ DE LA CRUZ
Programador
Teléfono : 993 3987 964
Villahermosa, Tabasco, México.
 


--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-rest-framework/58fd71c3-140f-4a3b-8229-e82534836171n%40googlegroups.com.

Denis Nesterov

unread,
Sep 1, 2021, 4:24:57 AM9/1/21
to Django REST framework

Update: I found the root cause. Apparently all my ldap users were not marked as active in django.
Still, difference in behavior of normal views and API views regarding this type of users is kind of strange.

Fernando, thank you for responding. However, I did try both session and token authentication. It doesn't appear to make any difference in this situation.

Regards,
Denis

Reply all
Reply to author
Forward
0 new messages