#35530: `django.contrib.auth.login` inconsistently guards `request.user`
-------------------------------------+-------------------------------------
     Reporter:  Jaap Roes            |                    Owner:  nobody
         Type:                       |                   Status:  closed
  Cleanup/optimization               |
    Component:  contrib.auth         |                  Version:  dev
     Severity:  Normal               |               Resolution:  needsinfo
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):

 * cc: Jacob (added)
 * resolution:   => needsinfo
 * status:  new => closed

Comment:

 I agree that, looking at the docs for
 
[https://docs.djangoproject.com/en/5.0/topics/auth/default/#django.contrib.auth.login
 login], this `user=None` shouldn't be accepted, and in the example code,
 there is a guard after `authenticate` (which can return None for user).
 This is a good sign that we might be able to remove this.

 However, this code was added a long time ago
 aab3a418ac9293bb4abd7670f65d930cb0426d58 (roughly 18 years old)
 It is likely **someone** is using this. This should roughly "work" for
 example

 {{{#!python

 @login_required
 def change_account(request):
     # This view is when some user has access to multiple accounts.
     username = request.POST["username"]
     password = request.POST["password"]
     user = authenticate(request, username=username, password=password)
     login(request, user)
     if user is not None:
         # Redirect to a success page.
         ...
     else:
         # Return an 'invalid login' error message
         # but I am still logged in as the original user.
          ...
 }}}

 I would love to hear some opinions of people who have written custom
 authentication backends (maybe the maintainer of django-allauth) or others
 who might remember some of the history of this before we precede here as I
 think the value gained here (removing ~2 lines) is very small.

 Can you discuss this on the [https://forum.djangoproject.com/c/internals/5
 Django Forum]? Check if the community is in agreement to do this?
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35530#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107019059325971-b783ab1a-ef18-47f5-abdb-fc8c94873bb9-000000%40eu-central-1.amazonses.com.

Reply via email to