[Django] #18998: Removing an authentication backend that's cached in a user's session causes exception
Django
exception
----------------------------------------+--------------------
Reporter: Bradley Ayers <brad@…> | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.4
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
----------------------------------------+--------------------
Here's the scenario:
1. I add a new authentication backend to `AUTHENTICATION_BACKENDS`.
2. I deploy the code and a user logs in using that backend, and then logs
out.
3. I decide I want to change the name of the backend, so I do, and update
`AUTHENTICATION_BACKENDS` accordingly.
4. I deploy the code, and the same user loads the login page again.
On loading the page, an exception will be raised:
{{{
Traceback (most recent call last):
File "/var/www/httpdocs/.env/lib/python2.7/site-
packages/django/core/handlers/base.py", line 111, in get_response
response = callback(request, *callback_args, **callback_kwargs)
File "/var/www/httpdocs/.env/lib/python2.7/site-
packages/console/base.py", line 105, in wrapped
result = func(request, *args, **kwargs)
File "/var/www/httpdocs/.env/lib/python2.7/site-
packages/django/contrib/auth/decorators.py", line 19, in _wrapped_view
if test_func(request.user):
File "/var/www/httpdocs/.env/lib/python2.7/site-
packages/django/utils/functional.py", line 184, in inner
self._setup()
File "/var/www/httpdocs/.env/lib/python2.7/site-
packages/django/utils/functional.py", line 248, in _setup
self._wrapped = self._setupfunc()
File "/var/www/httpdocs/.env/lib/python2.7/site-
packages/django/contrib/auth/middleware.py", line 16, in <lambda>
request.user = SimpleLazyObject(lambda: get_user(request))
File "/var/www/httpdocs/.env/lib/python2.7/site-
packages/django/contrib/auth/middleware.py", line 8, in get_user
request._cached_user = auth.get_user(request)
File "/var/www/httpdocs/.env/lib/python2.7/site-
packages/django/contrib/auth/__init__.py", line 100, in get_user
backend = load_backend(backend_path)
File "/var/www/httpdocs/.env/lib/python2.7/site-
packages/django/contrib/auth/__init__.py", line 22, in load_backend
raise ImproperlyConfigured('Module "%s" does not define a "%s"
authentication backend' % (module, attr))
ImproperlyConfigured: Module "project.apps.core.backends" does not define
a "EmailOrUsernameModelBackend" authentication backend
}}}
`EmailOrUsernameModelBackend` is the name of the old backend that has been
renamed.
--
Ticket URL: <https://code.djangoproject.com/ticket/18998>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
exception
Reporter: Bradley Ayers | Owner: nobody
<brad@…> | Status: new
Type: Bug | Version: 1.4
Component: contrib.auth | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 1 |
-------------------------------------+-------------------------------------
Changes (by claudep):
* needs_better_patch: => 0
* needs_docs: => 0
* needs_tests: => 0
* stage: Unreviewed => Accepted
Comment:
I guess that catching `ImproperlyConfigured` in addition to `KeyError` in
`get_user` is the way to go here.
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:1>
Django
exception
Reporter: Bradley Ayers | Owner: nobody
<brad@…> | Status: new
Type: Bug | Version: 1.4
Component: contrib.auth | Resolution:
Severity: Normal | Triage Stage: Accepted
Keywords: | Needs documentation: 0
Has patch: 0 | Patch needs improvement: 0
Needs tests: 0 | UI/UX: 0
Easy pickings: 1 |
-------------------------------------+-------------------------------------
Comment (by Bradley Ayers <brad@…>):
I think the code that retrieves the auth backend from the session should
ensure it's within `AUTHENTICATION_BACKENDS`. If it's not, treat it as
invalid and ignore it.
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:2>
Django
exception
Reporter: Bradley Ayers | Owner:
Type: Bug | Status: new
Component: contrib.auth | Version: 1.4
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by mhaligowski):
* owner: nobody => mhaligowski
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:3>
Django
exception
Reporter: Bradley Ayers | Owner:
<brad@…> | mhaligowski
Component: contrib.auth | Version: 1.4
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Fixed on
Has patch: 0 | a branch
Needs tests: 0 | Needs documentation: 0
Easy pickings: 1 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by mhaligowski):
* status: new => closed
* resolution: => fixed
* stage: Accepted => Fixed on a branch
Comment:
https://github.com/django/django/pull/412
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:4>
Django
exception
Reporter: Bradley Ayers | Owner:
<brad@…> | mhaligowski
Type: Bug | Status: closed
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by lrekucki):
* has_patch: 0 => 1
* stage: Fixed on a branch => Accepted
Comment:
The ticket isn't fixed until a core developer commits the code to the
master. You should have just marked the "Has patch" flag. See
https://docs.djangoproject.com/en/1.4/internals/contributing/triaging-
tickets/#triage-stages for more info :)
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:5>
Django
exception
Reporter: Bradley Ayers | Owner:
<brad@…> | mhaligowski
Type: Bug | Status: closed
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by mhaligowski):
Ah, I expected so:) Sorry for that and thanks for the info.
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:6>
Django
exception
Reporter: Bradley Ayers | Owner:
<brad@…> | mhaligowski
Component: contrib.auth | Version: 1.4
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by ptone):
* status: closed => reopened
* resolution: fixed =>
Comment:
We should probably remove the fixed on branch stage
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:7>
Django
exception
Reporter: Bradley Ayers | Owner:
Type: Bug | Status: assigned
Component: contrib.auth | Version: 1.4
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by jorgebastida):
* owner: mhaligowski => jorgebastida
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:9>
Django
exception
Reporter: Bradley Ayers | Owner:
<brad@…> | jorgebastida
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by jorgebastida):
In the same way if a user logs in with backend A and then we remove A from
{{{AUTHENTICATION_BACKENDS}}} the user will still be log in even if the
backend is no longer available in {{{AUTHENTICATION_BACKENDS}}} but the
module is.
Will write a patch and send a Pull Request.
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:10>
Django
exception
Reporter: Bradley Ayers | Owner:
<brad@…> | jorgebastida
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
Has patch: 1 | checkin
Needs tests: 0 | Needs documentation: 0
Easy pickings: 1 | Patch needs improvement: 0
-------------------------------------+-------------------------------------
Changes (by jorgebastida):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:11>
Django
exception
Reporter: Bradley Ayers | Owner:
<brad@…> | jorgebastida
Component: contrib.auth | Version: 1.4
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
Has patch: 1 | checkin
Needs tests: 0 | Needs documentation: 0
Easy pickings: 1 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"dc43fbc2f21c12e34e309d0e8a121020391aa03a"]:
{{{
#!CommitTicketReference repository=""
revision="dc43fbc2f21c12e34e309d0e8a121020391aa03a"
Fixed #18998 - Prevented session crash when auth backend removed
Removing a backend configured in AUTHENTICATION_BACKENDS should not
raise an exception for existing sessions, but should make already
logged-in users disconnect.
Thanks Bradley Ayers for the report.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/18998#comment:12>