[BUG] Django 1.11 backward compatibility bug when several authentication backends are in use
49 views
Skip to first unread message
Raffi Enficiaud
Apr 7, 2017, 10:11:15 AM4/7/17
to Django users
Hi Django list!
I am using a django-crowd authentication backend and the deployment today was not working with our setup. I nailed it down to the fact that the backward compatibility is not working as expected for 1.11 for the authenticate method:
https://docs.djangoproject.com/en/1.11/topics/auth/default/#django.contrib.auth.authenticate
Step to reproduce:
- add an authentication backend using Django < 1.11 API at the end of the authentication backend list supplied by AUTHENTICATION_BACKENDS. At the end, or at least not in the first position, is important here
- try to log in with a user in this backend
Expected result:
- the authenticate method is called for this authentication backend
What happens:
- the authentication backend is discarded as it does not (supposedly) have the right API. It works as expected if the authentication backend is first in the list.
Bug explanation:
* the credential dictionary is polluted by the "request" argument after the first iteration in django/contrib/auth/__init__.py line 92
* after the first loop, all calls to "inspect.getcallargs(backend.authenticate, **credentials)" (line 81, same file) with the Django <= 1.10 API can only fail because they raise the exception TypeError indicating that they do not support this API
The fix needs to move to the new API, I think it should at least be advertised as a breaking change in the release notes, or this bug should be fixed by not adding the "request" to the "credentials" dict.
Thanks for the wonderful work on Django, I am so much in love with this!
Best regards,
Raffi Enficiaud
I am using a django-crowd authentication backend and the deployment today was not working with our setup. I nailed it down to the fact that the backward compatibility is not working as expected for 1.11 for the authenticate method:
https://docs.djangoproject.com/en/1.11/topics/auth/default/#django.contrib.auth.authenticate
Step to reproduce:
- add an authentication backend using Django < 1.11 API at the end of the authentication backend list supplied by AUTHENTICATION_BACKENDS. At the end, or at least not in the first position, is important here
- try to log in with a user in this backend
Expected result:
- the authenticate method is called for this authentication backend
What happens:
- the authentication backend is discarded as it does not (supposedly) have the right API. It works as expected if the authentication backend is first in the list.
Bug explanation:
* the credential dictionary is polluted by the "request" argument after the first iteration in django/contrib/auth/__init__.py line 92
* after the first loop, all calls to "inspect.getcallargs(backend.authenticate, **credentials)" (line 81, same file) with the Django <= 1.10 API can only fail because they raise the exception TypeError indicating that they do not support this API
The fix needs to move to the new API, I think it should at least be advertised as a breaking change in the release notes, or this bug should be fixed by not adding the "request" to the "credentials" dict.
Thanks for the wonderful work on Django, I am so much in love with this!
Best regards,
Raffi Enficiaud
René Fleschenberg
Apr 7, 2017, 1:40:25 PM4/7/17
to django...@googlegroups.com
Hi Raffi,
Thanks for taking the time to report this. Can you please file an issue
at https://code.djangoproject.com/? The people who deal with triaging
and fixing bugs may not be following the django-users list.
Thanks!
René
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/18df46d6-aeab-4cd0-8c2a-7cdaa4d78469%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/18df46d6-aeab-4cd0-8c2a-7cdaa4d78469%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
--
René Fleschenberg
Am Stadtgarten 28, 45276 Essen, Germany
Phone: +49 1577 170 7363
E-Mail: re...@fleschenberg.net
Thanks for taking the time to report this. Can you please file an issue
at https://code.djangoproject.com/? The people who deal with triaging
and fixing bugs may not be following the django-users list.
Thanks!
René
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com
> <mailto:django-users...@googlegroups.com>.
> To post to this group, send email to django...@googlegroups.com
> <mailto:django...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/18df46d6-aeab-4cd0-8c2a-7cdaa4d78469%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/18df46d6-aeab-4cd0-8c2a-7cdaa4d78469%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
--
René Fleschenberg
Am Stadtgarten 28, 45276 Essen, Germany
Phone: +49 1577 170 7363
E-Mail: re...@fleschenberg.net
Reply all
Reply to author
Forward
0 new messages