On 05/23/2015 11:37 AM, Marc Tamlyn wrote: > If the backend is inferred by a single value in the settings and not > stored alongside the user ID, what would happen to existing users > who are already logged in when a second backend is added to the > settings and deployed? Django would no longer know which backend to > use to fetch the authenticated user? > > > I believe the intention would be to store the single backend against the > user ID on login, so this would be safe for sessions loaded after a > second backend is added. Obviously code using this convention would need > to be updated when more than one backend is used. > > I think this would be a good plan, I reckon that most sites use only one > auth backend anyway.
Right. I think we always need to store the backend in the session; I'm
OK with the backend to store being chosen automatically for sites with
only a single backend configured (at the moment when the user is logged in).
So the proposed logic for the login() function would look something like:
1) Use the value of the `backend` argument, if provided.
2) Use the value of the `user.backend` annotation, if present.
3) Use the only configured backend, if there is only one.
4) Raise ValueError("You have multiple authentication backends
configured; you must provide the `backend` argument to `login`.")
(I don't think the error would even need to mention the annotation
option; if you're using authenticate+login you'd never hit the error
anyway, and if you're not then the new `backend` arg is the preferred
API we should advertise.)
Carl
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/5560C91C.3080007%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
