#15671: RemoteUserMiddleware hides true errors and exceptions
----------------------------+---------------------------
Reporter: metzen | Owner: metzen
Status: new | Milestone:
Component: Authentication | Version: SVN
Keywords: | Triage Stage: Unreviewed
Has patch: 1 |
----------------------------+---------------------------
The !RemoteUserMiddleware hides true errors and exceptions that may occur
when fetching Session and User data from the db backend. This occurs
because the middleware first performs a test to ensure that
contrib.auth.middleware.!AuthenticationMiddleware has been installed by
calling:
{{{
if not hasattr(request, 'user'):
raise ImproperlyConfigured(...)
}}}
However, hasattr dangerously catches all exceptions that occur during the
call, which hides any of the multitude of problems that could occur when
the !LazyUser attribute attempts to fetch the real User instance from the
database.
I've proposed a patch which instead uses a try/except on !AttributeError
to perform the same logic, while letting other exceptions correctly bubble
up.
--
Ticket URL: <http://code.djangoproject.com/ticket/15671>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
