Bug#663230: marked as done (With RemoteUserMiddleware, users keep being logged in after web server stops sending REMOTE_USER headers)

Mon, 25 Mar 2013 14:36:25 -0700 

Your message dated Mon, 25 Mar 2013 21:33:08 +0000
with message-id <[email protected]>
and subject line Bug#663230: fixed in python-django 1.5-1
has caused the Debian Bug report #663230,
regarding With RemoteUserMiddleware, users keep being logged in after web 
server stops sending REMOTE_USER headers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
663230: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663230
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python-django
Version: 1.3.1-4
Severity: normal

Hello,

thank you for maintaining Django. This was reproduced on
1.2.3-3+squeeze2 but the RemoteUserMiddleware code seems to be the same
as the 1.3.1-4 in my development machine.

RemoteUserMiddleware relies on a REMOTE_USER variable to be set by the
web server with the current user name, so far so good. However it does
not log a person out if the variable disappears during the same browser
session.

That may never happen with the usual browsers and auth, but it does
happen for other setups like DACS that have a logout feature button.

The error is in this bit of django.contrib.auth.middleware.RemoteUserMiddleware:

        try:
            username = request.META[self.header]
        except KeyError:
            # If specified header doesn't exist then return (leaving
            # request.user set to AnonymousUser by the
            # AuthenticationMiddleware).
            return

The except side assumes that if there is no request.META[self.header],
then the user is the anonymous one.

Since I found that it is not always the case, I fixed it adding a simple
"auth.logout(request)" before returning:

        try:
            username = request.META[self.header]
        except KeyError:
            # If specified header doesn't exist then return (leaving
            # request.user set to AnonymousUser by the
            # AuthenticationMiddleware).

            # Make sure that if the server did not send any headers,
            # then we are actually logged out
            auth.logout(request)
            return

That one line change made nm.debian.org logout properly under DACS.


Ciao,

Enrico


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-django depends on:
ii  python     2.7.2-10
ii  python2.6  2.6.7-4
ii  python2.7  2.7.2-8

Versions of packages python-django recommends:
ii  libjs-jquery  1.7.1-1

Versions of packages python-django suggests:
ii  geoip-database-contrib  <none>
ii  python-flup             <none>
ii  python-mysqldb          1.2.3-1
ii  python-psycopg          <none>
ii  python-psycopg2         2.4.4-3
ii  python-sqlite           1.0.1-9
ii  python-yaml             3.10-2

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: python-django
Source-Version: 1.5-1

We believe that the bug you reported is fixed in the latest version of
python-django, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luke Faraone <[email protected]> (supplier of updated python-django package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 22 Mar 2013 17:52:30 -0400
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.5-1
Distribution: experimental
Urgency: low
Maintainer: Chris Lamb <[email protected]>
Changed-By: Luke Faraone <[email protected]>
Description: 
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
Closes: 436983 646634 663230
Changes: 
 python-django (1.5-1) experimental; urgency=low
 .
   * New upstream release. Closes: #646634, #663230, #436983
Checksums-Sha1: 
 3b7a6161f564c4984536e192cbad9c9434f92d34 2178 python-django_1.5-1.dsc
 358dce7db72904c334e3d7ce7eaa0e27a22cfa16 8007045 python-django_1.5.orig.tar.gz
 ce3b8422c82aedcc13d660308ecdbeec375fcd55 20005 
python-django_1.5-1.debian.tar.gz
 7036cf4045864d22623ff6122814d430dc552262 5639862 python-django_1.5-1_all.deb
 3a571388026cbb2c358c1e16116944cb256d51db 2556196 
python-django-doc_1.5-1_all.deb
Checksums-Sha256: 
 ec11dae21030c3da964a1257a7f4c7867caef658d349b3bdda0e1b67a5f73f3d 2178 
python-django_1.5-1.dsc
 078bf8f8ab025ed79e41ed5cee145a64dffea638eb5c2928c8cd106720824416 8007045 
python-django_1.5.orig.tar.gz
 c3b64853cfd88a5566567397ff36c6c68de8ca47aa1d54d00765993733c4a201 20005 
python-django_1.5-1.debian.tar.gz
 a5d41b8271b2451e55141ca3abe5ef2da5546df2aa669fef0b598855880f15d3 5639862 
python-django_1.5-1_all.deb
 116f52d92f502aab6b04c3f2531c9e575bf7ca992dd083ea7b6221837b089624 2556196 
python-django-doc_1.5-1_all.deb
Files: 
 ce61bbbec6957cb23f9aaebf1a6e52be 2178 python optional python-django_1.5-1.dsc
 fac09e1e0f11bb83bb187d652a9be967 8007045 python optional 
python-django_1.5.orig.tar.gz
 cc76374f104b8a4be921d29e1e79e492 20005 python optional 
python-django_1.5-1.debian.tar.gz
 34a6999cea940ddc4a9c8a4702592369 5639862 python optional 
python-django_1.5-1_all.deb
 00289916a2e85dd909a852b619f86de6 2556196 doc optional 
python-django-doc_1.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJRULy2AAoJEJcyXdj5/dUGQogQALQ6sKXIxA4Z2FKf72EEjap7
skUAeptCOUtw/c1qt3ysKFo3c+BrYLUbK6d/0nWwvyNtwsaaL4LUc/QEKCZ17dXH
qUIyNdAOVXMU3fCwgLePMgS+72kKAOzoVACUY0MIWAsxHDa3YbuPIeFPjPUzxa+l
pMKY2gveCS9DV2C6iSHtrdrJuQmsCoxfyMCBFgUzLmxHqqyqhn0NJSv009mTKqcJ
YWRGXVg3lISctBv9ZCKCuj/zKP7rhFtUJSZFYma7geznvGnCxxkIZm4wfBuyBjPx
HNLQFmdg3xLP2LrQaGg11TU6T2Vh52KK2w6RW2vGmWBjiqQ4BUks1ZWfZs2amAQx
9eDVWFndBeX1Wtm3J8Gkv8R3opKJlShWbtV1nSeeIGX4WT8YD/kAWgp/rytM3d8p
o7l12IYYgCz/6A02Tj/w66N3UG4uPv/4LTc2mx/gA1GpCsXsJ9ih/eO8ef7mCGnU
cPQ66LN4XZKCXsxHMz5X5InDkJpoc4zzaLcPXpaSyYMN1WhQTd9hbZyhZRAwIWm5
5J2lhklwQ/EnO7XIDJYwPAsIWKGJ/xTxF/IgtDdvijtnt2JqkVPSp4Dfd8Y7utBS
RbhdUjuVoQ03UM3fdi2zgzZjy1Biyg75e9ac00egrCV9rBCd3hL43YO8Pw7DbX5a
BkrX14PqAZtFQfuCG1s6
=BISM
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to