#23925: django.contrib.auth.authenticate sets the wrong backend path
------------------------------+--------------------
Reporter: sdeprez | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 1.7
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------
The `django.contrib.auth.authenticate` function currently tries to
authenticate a user by checking each backend in
`settings.AUTHENTICATION_BACKENDS`, and when it has found one that works,
it annotates the user by adding a `path` attribute that is the path of the
backend (as a Python object). However the path is computed based on the
`__class__` attribute of the backend object, which give the "real" path of
the object, and NOT based on the path given by
`settings.AUTHENTICATION_BACKENDS`.
This is problematic beacause they may differ, and thus the later check `if
backend_path in settings.AUTHENTICATION_BACKENDS` in
`django.contrib.auth.get_user` can fail whereas it should not.
Steps to reproduce the bug :
- create a custom backend in some module :
`my_app.my_module_backend.CustomBackend`
- create another module that imports this module. For instance, it's
common practice to import it in the `__init__.py` file of the package. So,
in `my_app/__init__.py` put `from my_app import CustomBackend`.
- Set `AUTHENTICATION_BACKENDS = my_app.CustomBackend`
- Run django, create an user and try to login. Everything will go fine (no
errors), except that you WON'T be logged, because of
`django.contrib.auth.get_user` that will return an AnonymousUser. This can
be very painful to track and this can even lead to infinite loops if your
`LOGIN_REDIRECT_URL` is an url that requires login, because the session
key will be set but an `AnonymousUser` is returned.
I attached a patch that fixes that, by setting the actual path used in
`AUTHENTICATION_BACKENDS` in the user, without any changes to the working
public API.
--
Ticket URL: <https://code.djangoproject.com/ticket/23925>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/050.39dda31f2f54cacce5c063ca85f14d7d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
