Hi Django list!
I am using a django-crowd authentication backend and the deployment today was not working with our setup. I nailed it down to the fact that the backward compatibility is not working as expected for 1.11 for the authenticate method:
https://docs.djangoproject.com/en/1.11/topics/auth/default/#django.contrib.auth.authenticate
Step to reproduce:
- add an authentication backend using Django < 1.11 API at the end of the authentication backend list supplied by AUTHENTICATION_BACKENDS. At the end, or at least not in the first position, is important here
- try to log in with a user in this backend
Expected result:
- the authenticate method is called for this authentication backend
What happens:
- the authentication backend is discarded as it does not (supposedly) have the right API. It works as expected if the authentication backend is first in the list.
Bug explanation:
* the credential dictionary is polluted by the "request" argument after the first iteration in django/contrib/auth/__init__.py line 92
* after the first loop, all calls to "inspect.getcallargs(backend.authenticate, **credentials)" (line 81, same file) with the Django <= 1.10 API can only fail because they raise the exception TypeError indicating that they do not support this API
The fix needs to move to the new API, I think it should at least be advertised as a breaking change in the release notes, or this bug should be fixed by not adding the "request" to the "credentials" dict.
Thanks for the wonderful work on Django, I am so much in love with this!
Best regards,
Raffi Enficiaud
-- I am using a django-crowd authentication backend and the deployment today was not working with our setup. I nailed it down to the fact that the backward compatibility is not working as expected for 1.11 for the authenticate method:
https://docs.djangoproject.com/en/1.11/topics/auth/default/#django.contrib.auth.authenticate
Step to reproduce:
- add an authentication backend using Django < 1.11 API at the end of the authentication backend list supplied by AUTHENTICATION_BACKENDS. At the end, or at least not in the first position, is important here
- try to log in with a user in this backend
Expected result:
- the authenticate method is called for this authentication backend
What happens:
- the authentication backend is discarded as it does not (supposedly) have the right API. It works as expected if the authentication backend is first in the list.
Bug explanation:
* the credential dictionary is polluted by the "request" argument after the first iteration in django/contrib/auth/__init__.py line 92
* after the first loop, all calls to "inspect.getcallargs(backend.authenticate, **credentials)" (line 81, same file) with the Django <= 1.10 API can only fail because they raise the exception TypeError indicating that they do not support this API
The fix needs to move to the new API, I think it should at least be advertised as a breaking change in the release notes, or this bug should be fixed by not adding the "request" to the "credentials" dict.
Thanks for the wonderful work on Django, I am so much in love with this!
Best regards,
Raffi Enficiaud
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/18df46d6-aeab-4cd0-8c2a-7cdaa4d78469%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment