Backwards incompatibility between 0.91 and 0.95 (mutli-auth sessions)

Skip to first unread message

Jeremy Dunck

May 29, 2007, 5:47:44 PM5/29/07
In [3226], the multi-auth branch landed.
It introduced a backwards incompatibility in existing sessions, which
are used for session-based auth.

The code responsible for supplying request.user prior to that rev was
e.g. handlers.modpython.ModPythonRequest._get_user. After that rev,
it's contrib.auth.get_user.

Prior to that rev, a valid user was returned if
session['_auth_user_id'] existed and had a contrib.auth.models.User
with that PK.

After that rev, session['_auth_user_backend'] is required as well.

If a KeyError is raised from either '_auth_user_id' or (in the new
rev) '_auth_user_backend', AnonymousUser is returned instead.

This means that any existing auth'd sessions are treated as anonymous
after this change.

As a workaround, the attached diff heals the backend if _auth_user_id
exists but _auth_user_backend doesn't by assuming that it should be

This allows old sessions to be migrated to the new auth keys without
requiring users to log in again and also avoids to crashes where code
assumes that the user returned from contrib.auth.get_user has a
backend attribute (which AnonymousUser does not).

Use that patch with caution-- if you plan on using some other backend
for auth, the patch could be a security concern.


Reply all
Reply to author
0 new messages