#35530: `django.contrib.auth.login` inconsistently guards `request.user`
-------------------------------------+-------------------------------------
Reporter: Jaap Roes | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
* cc: Jacob (added)
* resolution: => needsinfo
* status: new => closed
Comment:
I agree that, looking at the docs for
[https://docs.djangoproject.com/en/5.0/topics/auth/default/#django.contrib.auth.login
login], this `user=None` shouldn't be accepted, and in the example code,
there is a guard after `authenticate` (which can return None for user).
This is a good sign that we might be able to remove this.
However, this code was added a long time ago
aab3a418ac9293bb4abd7670f65d930cb0426d58 (roughly 18 years old)
It is likely **someone** is using this. This should roughly "work" for
example
{{{#!python
@login_required
def change_account(request):
# This view is when some user has access to multiple accounts.
username = request.POST["username"]
password = request.POST["password"]
user = authenticate(request, username=username, password=password)
login(request, user)
if user is not None:
# Redirect to a success page.
...
else:
# Return an 'invalid login' error message
# but I am still logged in as the original user.
...
}}}
I would love to hear some opinions of people who have written custom
authentication backends (maybe the maintainer of django-allauth) or others
who might remember some of the history of this before we precede here as I
think the value gained here (removing ~2 lines) is very small.
Can you discuss this on the [https://forum.djangoproject.com/c/internals/5
Django Forum]? Check if the community is in agreement to do this?
--
Ticket URL: <https://code.djangoproject.com/ticket/35530#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107019059325971-b783ab1a-ef18-47f5-abdb-fc8c94873bb9-000000%40eu-central-1.amazonses.com.
