[Django] #35555: Add additional middleware checks for django.contrib.auth
15 views
Skip to first unread message
Django
unread,
Jun 24, 2024, 11:52:12 AM (5 days ago) Jun 24
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to django-...@googlegroups.com
#35555: Add additional middleware checks for django.contrib.auth
-------------------------------------+-------------------------------------
Reporter: Jaap Roes | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: | Version: dev
contrib.auth | Keywords: auth session
Severity: Normal | middleware checks
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
The `django.contrib.auth.checks` module defines a
[https://github.com/django/django/blob/f1705c8780c0a7587654fc736542d55fe4a7f29b/django/contrib/auth/checks.py#L240-L262 check_middleware] function. This function currently checks if
`LoginRequiredMiddleware` is enabled, if so it checks if
`AuthenticationMiddleware` is also enabled, and is placed before it.
This is nice, and something than happens at runtime for other middlewares
in `contrib.auth`, for example:
Thanks, yes I agree with the reasoning. I'd like to see if it's possible
to convert these other runtime checks to similar Django checks, so the
behaviour is consistent.
--
Ticket URL: <https://code.djangoproject.com/ticket/35555#comment:2>
Django
unread,
Jun 25, 2024, 10:00:34 AM (4 days ago) Jun 25
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
A disadvantage I see with the system check approach is that it makes it
more difficult to use a custom middleware that sets `request.user` and
doesn't inherit `AuthenticationMiddleware`. In that case, the system check
error has to be silenced using `SILENCED_SYSTEM_CHECKS`.
--
Ticket URL: <https://code.djangoproject.com/ticket/35555#comment:3>
Django
unread,
Jun 25, 2024, 11:03:20 AM (4 days ago) Jun 25
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
I see that, but is that a common pattern? Even `RemoteUserMiddleware`,
which sets `request.user`, requires `AuthenticationMiddleware` in front of
it (that's partially what this ticket is about).
--
Ticket URL: <https://code.djangoproject.com/ticket/35555#comment:4>
Django
unread,
Jun 25, 2024, 11:03:38 AM (4 days ago) Jun 25
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
I don't know if it would affect anyone but it reminds me of other cases (I
can't think of a concrete example offhand) where we got complaints after
changing a duck-typing (similar to `hasattr(request, "user")`) to
something more specific like a class (or even subclass) check.
--
Ticket URL: <https://code.djangoproject.com/ticket/35555#comment:6>
Django
unread,
Jun 26, 2024, 3:34:30 AM (4 days ago) Jun 26
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
Are you arguing that the system check for `LoginRequiredMiddleware`
should've been a runtime/duck-type check? Or just that the other
middleware checks shouldn't be changed to do the same?
--
Ticket URL: <https://code.djangoproject.com/ticket/35555#comment:7>
Django
unread,
Jun 26, 2024, 6:23:05 AM (3 days ago) Jun 26
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
I think it's not worth changing existing errors to system checks. We have
had to relax such checks many times in the past, e.g.
efeceba589974b95b35b2e25df86498c96315518.
--
Ticket URL: <https://code.djangoproject.com/ticket/35555#comment:9>
Django
unread,
Jun 26, 2024, 4:56:17 PM (3 days ago) Jun 26
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
I tend to agree with Tim and Mariusz: Given Django's maturity, we
prioritize changes that clearly address bugs or introduce new features
rather than optional alterations.
If there is a compelling use case or scenario where implementing this
change significantly improves functionality and justifies the potential
risk to existing installations, we would be open to re-evaluating this
issue.
I do agree that there is a fundamental difference between a duck-type
check and a subclass check. Currently Django inconsistently applies both
to achieve the same goal.
As Tim identified, the major downside to adding these checks is that some
user might have to add these checks to `SILENCED_SYSTEM_CHECKS`. The
upside is that Django is more consistent (and helpful) when configuring
`contrib.auth`. Currently `contrib.auth` takes some of that
responsibility, but not every project uses that.
I've prepared a pull request on GitHub, to make it easier to see how
similar all these cases are. Sadly this ticket was just closed as WONTFIX
while doing this. I hope someone will still take the time to take a look
at it.
--
Ticket URL: <https://code.djangoproject.com/ticket/35555#comment:11>