summaryrefslogtreecommitdiff
path: root/docs/releases
diff options
context:
space:
mode:
authorJeremy Lainé <jeremy.laine@m4x.org>2016-04-02 13:18:26 +0200
committerTim Graham <timograham@gmail.com>2016-04-09 14:54:18 -0400
commitc1aec0feda73ede09503192a66f973598aef901d (patch)
treef1e4c09f3e98177cfe78cc9039b300f8984e7aed /docs/releases
parentc16b9dd8e0ae757616e9accbaffecc521191ee98 (diff)
Fixed #25847 -- Made User.is_(anonymous|authenticated) properties.
Diffstat (limited to 'docs/releases')
-rw-r--r--docs/releases/1.10.txt35
1 files changed, 35 insertions, 0 deletions
diff --git a/docs/releases/1.10.txt b/docs/releases/1.10.txt
index 2002905b2d..463cd4706e 100644
--- a/docs/releases/1.10.txt
+++ b/docs/releases/1.10.txt
@@ -730,6 +730,10 @@ Miscellaneous
* Middleware classes are now initialized when the server starts rather than
during the first request.
+* If you override ``is_authenticated()`` or ``is_anonymous()`` in a custom user
+ model, you must convert them to attributes or properties as described in
+ :ref:`the deprecation note <user-is-auth-anon-deprecation>`.
+
.. _deprecated-features-1.10:
Features deprecated in 1.10
@@ -857,6 +861,37 @@ features, is deprecated. Replace it with a custom lookup::
models.CharField.register_lookup(Search)
models.TextField.register_lookup(Search)
+.. _user-is-auth-anon-deprecation:
+
+Using ``User.is_authenticated()`` and ``User.is_anonymous()`` as methods
+------------------------------------------------------------------------
+
+The ``is_authenticated()`` and ``is_anonymous()`` methods of
+:class:`~django.contrib.auth.models.AbstractBaseUser` and
+:class:`~django.contrib.auth.models.AnonymousUser` classes are now
+properties. They will still work as methods until Django 2.0, but all usage
+in Django now uses attribute access.
+
+For example, if you use
+:class:`~django.contrib.auth.middleware.AuthenticationMiddleware` and want
+to know whether the user is currently logged-in you would use::
+
+ if request.user.is_authenticated:
+ ... # Do something for logged-in users.
+ else:
+ ... # Do something for anonymous users.
+
+instead of ``request.user.is_authenticated()``.
+
+This change avoids accidental information leakage if you forget to call the
+method, e.g.::
+
+ if request.user.is_authenticated:
+ return sensitive_information
+
+If you override these methods in a custom user model, you must change them to
+properties or attributes.
+
Custom manager classes available through ``prefetch_related`` must define a ``_apply_rel_filters()`` method
-----------------------------------------------------------------------------------------------------------