[Django] #36540: `alogout` is not cleaning user cache correctly
8 views
Skip to first unread message
Django
Aug 5, 2025, 4:33:56 AMAug 5
to django-...@googlegroups.com
#36540: `alogout` is not cleaning user cache correctly
------------------------+----------------------------------------
Reporter: Xdynix | Type: Bug
Status: new | Component: contrib.auth
Version: 5.2 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
------------------------+----------------------------------------
The ''request.auser'' method caches the ''user in _acached_user'', which
is not cleared during ''alogout''. Therefore, the following view code will
behave unexpectedly.
{{{
def delete_session(request: HttpRequest) -> None:
logger.info("Current user:", user=request.user.username) #
user="user"
logout(request)
logger.info("Current user:", user=request.user.username) # user=""
return None
async def delete_session(request: HttpRequest) -> None:
logger.info("Current user:", user=(await request.auser()).username) #
user="user"
await alogout(request)
logger.info("Current user:", user=(await request.auser()).username) #
user="user"
return None
}}}
It should be able to be fixed by adding the following to ''alogout''.
{{{
if hasattr(request, "_acached_user"):
delattr(request, "_acached_user")
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36540>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
------------------------+----------------------------------------
Reporter: Xdynix | Type: Bug
Status: new | Component: contrib.auth
Version: 5.2 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
------------------------+----------------------------------------
The ''request.auser'' method caches the ''user in _acached_user'', which
is not cleared during ''alogout''. Therefore, the following view code will
behave unexpectedly.
{{{
def delete_session(request: HttpRequest) -> None:
logger.info("Current user:", user=request.user.username) #
user="user"
logout(request)
logger.info("Current user:", user=request.user.username) # user=""
return None
async def delete_session(request: HttpRequest) -> None:
logger.info("Current user:", user=(await request.auser()).username) #
user="user"
await alogout(request)
logger.info("Current user:", user=(await request.auser()).username) #
user="user"
return None
}}}
It should be able to be fixed by adding the following to ''alogout''.
{{{
if hasattr(request, "_acached_user"):
delattr(request, "_acached_user")
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36540>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Aug 5, 2025, 7:32:31 AMAug 5
to django-...@googlegroups.com
#36540: `alogout` is not cleaning user cache correctly
------------------------------+--------------------------------------
Reporter: Xdynix | Owner: (none)
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution: worksforme
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
------------------------------+--------------------------------------
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Sarah Boyce):
* resolution: => worksforme
* status: new => closed
Comment:
I can't replicate. The behavior also matches the sync behavior
{{{#!diff
--- a/tests/async/test_async_auth.py
+++ b/tests/async/test_async_auth.py
@@ -127,7 +127,10 @@ class AsyncAuthTest(TestCase):
await self.client.alogin(username="testuser", password="testpw")
request = HttpRequest()
request.session = await self.client.asession()
+ request.user = self.test_user
await alogout(request)
+ self.assertNotEqual(request.user, self.test_user)
+ self.assertIsInstance(request.user, AnonymousUser)
user = await aget_user(request)
self.assertIsInstance(user, AnonymousUser)
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36540#comment:1>
Django
Aug 5, 2025, 12:42:50 PMAug 5
to django-...@googlegroups.com
#36540: `alogout` is not cleaning user cache correctly
------------------------------+--------------------------------------
Reporter: Xdynix | Owner: (none)
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution: worksforme
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
------------------------------+--------------------------------------
Comment (by Xdynix):
------------------------------+--------------------------------------
Reporter: Xdynix | Owner: (none)
Type: Bug | Status: closed
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution: worksforme
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
------------------------------+--------------------------------------
The problematic code is within ''django/contrib/auth/middleware.py''.
Add the following test case to
''auth_tests.test_middleware.TestAuthenticationMiddleware'' and you can
reproduce it:
{{{
async def test_auser_logout(self):
from django.contrib.auth import alogout
from django.contrib.auth.models import AnonymousUser
self.middleware(self.request)
auser = await self.request.auser()
self.assertEqual(auser, self.user)
await alogout(self.request)
auser_second = await self.request.auser()
self.assertIsInstance(auser_second, AnonymousUser)
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36540#comment:2>
Django
Aug 5, 2025, 12:43:44 PMAug 5
to django-...@googlegroups.com
#36540: `alogout` is not cleaning user cache correctly
------------------------------+--------------------------------------
Reporter: Xdynix | Owner: (none)
Type: Bug | Status: new
------------------------------+--------------------------------------
Reporter: Xdynix | Owner: (none)
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution:
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by Xdynix):
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
------------------------------+--------------------------------------
* resolution: worksforme =>
* status: closed => new
--
Ticket URL: <https://code.djangoproject.com/ticket/36540#comment:3>
Reply all
Reply to author
Forward
0 new messages