| Age | Commit message (Collapse) | Author |
|
corresponds to request.META under ASGI.
Because these tests always passed both WSGI environ values and HTTP
headers via `**extra`, this masked a behavior difference between WSGI
and ASGI.
What should happen: everything should be passed via `headers` but for
the default REMOTE_USER case on WSGI, which should be passed via
`**extra`.
Since that was not done, a regression made it into Django 5.2
(50f89ae850f6b4e35819fe725a08c7e579bfd099) where `.header` no longer
corresponded to the request.META key under ASGI. To cope, an ASGI user
would have started(*) sending HTTP headers that match the `.header`
attribute, which may or may not have been edited to remove the HTTP_
prefix. (Note: the default `REMOTE_USER` case did not work under ASGI,
so the change in Django 5.2 had the effect of fixing the default case
but changing the semantic of the custom case.)
(*): Unless they were getting the sync execution path, which didn't have
this bug. See the fix in 0f4fff79d33b7cc84822e66bd1fc16caf8222e3a.
Thanks Mykhailo Havelia and Sarah Boyce for reviews.
|
|
This alleviates sync/async duplication.
|
|
We need to switch on whether the request is a WSGI or ASGI request to
know whether to prepend `HTTP_`: we cannot assume sync exceution means
we are running under WSGI, as there could be other sync middleware
forcing sync execution under ASGI.
Thanks Mykhailo Havelia for the report.
|
|
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
|
|
request.user/auser as handled by login().
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
|
|
handle subclasses.
Co-authored-by: Arfey <Arfey17.mg@gmail.com>
|
|
As Python 3.12 is now the floor, we can drop the shims and
use the `inspect` module.
|
|
aprocess_request().
Per deprecation timeline.
|
|
|
|
|
|
aprocess_request().
Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099.
Thank you to shamoon for the report and Natalia Bidart for the review.
|
|
Persistent/RemoteUserMiddleware comments.
Changed the docstrings and code comments to better reflect where the default value
comes from (an environment variable, not request header).
|
|
|
|
This work should not generate any change of functionality, and
`urlsplit` is approximately 6x faster.
Most use cases of `urlparse` didn't touch the path, so they can be
converted to `urlsplit` without any issue. Most of those which do use
`.path`, simply parse the URL, mutate the querystring, then put them
back together, which is also fine (so long as urlunsplit is used).
|
|
Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Mehmet İnce <mehmet@mehmetince.net>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
related methods test clients.
|
|
|
|
|
|
appropriate.
|
|
middlewares.
|
|
This reverts commit 2f010795e690550c8c6f56b3924c0f629cacb33b.
|
|
SimpleLazyObject already caches value in _wrapped.
|
|
|
|
This reverts commit 550cb3a365dee4edfdd1563224d5304de2a57fda
because try/except performs better.
|
|
|
|
|
|
|
|
|
|
Thanks Tim Graham for polishing the patch, updating the tests, and
writing documentation. Thanks Carl Meyer for shepherding the DEP.
|
|
|
|
|
|
external authentication.
|
|
SessionAuthenticationMiddleware.
Thanks andrewbadr for the report and Carl Meyer for the review.
|
|
This is a security fix. Disclosure following shortly.
|
|
changes.
Thanks Paul McMillan, Aymeric Augustin, and Erik Romijn for reviews.
|
|
Thanks Keryn Knight.
|
|
import_string().
Thanks Aymeric Augustin for the suggestion and review.
|
|
local variables
|
|
If the current sessions user was logged in via a remote user backend log out
the user if REMOTE_USER header not available - otherwise leave it to other auth
middleware to install the AnonymousUser.
Thanks to Sylvain Bouchard for the initial patch and ticket maintenance.
|
|
UserAdmin to match.
|
|
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16332 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
Thanks for the review Luke.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16305 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
monkey patching
Thanks to m.vantellingen for the report and tests, and to aaugustin for
work on the tests.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16297 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
documentation, comments and code. Thanks to timo and Simon Meers for the work on the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14069 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
for supporting external authentication solutions. Thanks to all who contributed to this patch, including Ian Holsman, garthk, Koen Biermans, Marc Fargas, ekarulf, and Ramiro Morales.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10063 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
class. Thanks for the patch, jkocherhans
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3754 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
ramifications of this change. Many, many thanks to Joseph Kocherhans for the hard work!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3226 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
Django. Thanks, Nicola Larosa
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3113 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|
|
backwards-incompatible. Please read http://code.djangoproject.com/wiki/RemovingTheMagic for upgrade instructions.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@2809 bcc190cf-cafb-0310-a4f2-bffc1f526a37
|