Hi Mehmet, On 13/03/2020 21.47, Mehmet Ince wrote: > - We must forcefully enable session validation for every endpoint. > - Developers must do something to make the unauthenticated endpoint > instead of making it authentication protected!
I agree with you that this would be a better situation from a security standpoint. However, there are many important details that make this harder than one might think, most of which you already mentioned. > - You can enable it by adding > 'forceauth.ForceAuthenticationMiddleware' middleware. I would avoid the "auth" wording as it is easy to think that this is about authorization. The corresponding mixin in django is called `LoginRequiredMixin`, so I think it would be a good idea to call this one `forcelogin.ForceLoginMiddleware`. > - If you have a FBV, and it requires to be accessible for > unauthenticated users, call *@publicly_accessible_endpoint* > decorator. - If you have CBV, and it requires to be accessible for > unauthenticated users, inherit *PubliclyAccessibleEndpointMixin* > along side other classes that you need like TemplateView, ListView > etc. I think it is nice that this mirrors the current situation, but the implementation feels brittle. Wouldn't it be much easier to add a list of ignored paths to settings? > I'm not talking about authorization This is a big one for me. In the projects that I have worked on, there was rarely a view that required login but no permissions. So adding the middleware could create a false sense of security. Sure, it improves the situation quite a bit by requiring authentication, but it hides the underlying issue. Another option could be to add system checks for this: Instead of silently "fixing" missing code it would inform developers about missing decorators/mixins. (If I have time I might try to come up with a prototype of this.) tobias -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/defe8a05-ad60-bc66-03c8-238401e38605%40posteo.de.
