Re: [Django] #20671: Custom backend get_user function is assumed to search by primary key

[Django]

#20671: Custom backend get_user function is assumed to search by primary key
-------------------------------------+-------------------------------------
     Reporter:  elliot.smith91@…     |                    Owner:  nobody
         Type:  New feature          |                   Status:  new
    Component:  contrib.auth         |                  Version:  1.5
     Severity:  Normal               |               Resolution:
     Keywords:  session, auth,       |             Triage Stage:  Accepted
  custom                             |      Needs documentation:  0
    Has patch:  0                    |  Patch needs improvement:  0
  Needs tests:  0                    |                    UI/UX:  0
Easy pickings:  0                    |
-------------------------------------+-------------------------------------
Changes (by bmispelon):

 * needs_better_patch:   => 0
 * component:  contrib.sessions => contrib.auth
 * needs_tests:   => 0
 * needs_docs:   => 0
 * type:  Bug => New feature
 * stage:  Unreviewed => Accepted


Comment:

 Hi,

 The source of the problem is `contrib.auth.login`, which has the following
 line [1]:
 {{{#!python
 request.session[SESSION_KEY] = user.pk
 }}}

 This limitation is somewhat documented, as the documentation states that
 [2]:
 > user_id [...] has to be the primary key of your User object

 I think it'd be interesting to explore what we could do to lift this
 limitation (and if not, I agree that it should be documented more
 prominently).

 However, I don't think that the user model is the right place for it.
 From my understanding, it's the responsibility of the backend (not the
 user model) to store in the session whatever it needs to fetch the full
 user object later on.

 [1]
 
https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L84
 [2] https://docs.djangoproject.com/en/dev/topics/auth/customizing
 /#writing-an-authentication-backend

-- 
Ticket URL: <https://code.djangoproject.com/ticket/20671#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/082.520054d4f1dc6c69a7a6d3aa2d3c8f7d%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.