[5.2.x] Fixed #36390 -- Deprecated RemoteUserMiddleware subclasses missing aprocess_request().

Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099. Thank you to shamoon for the report and Natalia Bidart for the review. Backport of 1704c49a9b149b66b6a0e67abc8c95293bc35649 from main.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-05-20 17:12:25 +0200
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-05-23 10:24:09 +0200
commit: 9db932ab4c4e0e85697719443247d229bf14db9a (patch)
tree: 477f1a1ced8b10ab8d154ad3f0a943fc68cb20a3 /django
parent: cdd374939a3df497ff050e16663a73acb6cca899 (diff)
1 files changed, 29 insertions, 9 deletions
diff --git a/django/contrib/auth/middleware.py b/django/contrib/auth/middleware.py
index 880563bc5b..6be3552cad 100644
--- a/django/contrib/auth/middleware.py
+++ b/django/contrib/auth/middleware.py
@@ -1,7 +1,8 @@
+import warnings
 from functools import partial
 from urllib.parse import urlsplit
 
-from asgiref.sync import iscoroutinefunction, markcoroutinefunction
+from asgiref.sync import iscoroutinefunction, markcoroutinefunction, sync_to_async
 
 from django.conf import settings
 from django.contrib import auth
@@ -10,7 +11,7 @@ from django.contrib.auth.backends import RemoteUserBackend
 from django.contrib.auth.views import redirect_to_login
 from django.core.exceptions import ImproperlyConfigured
 from django.shortcuts import resolve_url
-from django.utils.deprecation import MiddlewareMixin
+from django.utils.deprecation import MiddlewareMixin, RemovedInDjango61Warning
 from django.utils.functional import SimpleLazyObject
 
 
@@ -128,6 +129,10 @@ class RemoteUserMiddleware:
     def __call__(self, request):
         if self.is_async:
             return self.__acall__(request)
+        self.process_request(request)
+        return self.get_response(request)
+
+    def process_request(self, request):
         # AuthenticationMiddleware is required so that request.user exists.
         if not hasattr(request, "user"):
             raise ImproperlyConfigured(
@@ -145,13 +150,13 @@ class RemoteUserMiddleware:
             # AnonymousUser by the AuthenticationMiddleware).
             if self.force_logout_if_no_header and request.user.is_authenticated:
                 self._remove_invalid_user(request)
-            return self.get_response(request)
+            return
         # If the user is already authenticated and that user is the user we are
         # getting passed in the headers, then the correct user is already
         # persisted in the session and we don't need to continue.
         if request.user.is_authenticated:
             if request.user.get_username() == self.clean_username(username, request):
-                return self.get_response(request)
+                return
             else:
                 # An authenticated user is associated with the request, but
                 # it does not match the authorized user in the header.
@@ -165,9 +170,26 @@ class RemoteUserMiddleware:
             # by logging the user in.
             request.user = user
             auth.login(request, user)
-        return self.get_response(request)
 
     async def __acall__(self, request):
+        # RemovedInDjango61Warning.
+        if (
+            self.__class__.process_request is not RemoteUserMiddleware.process_request
+            and self.__class__.aprocess_request is RemoteUserMiddleware.aprocess_request
+        ):
+            warnings.warn(
+                "Support for subclasses of RemoteUserMiddleware that override "
+                "process_request() without overriding aprocess_request() is "
+                "deprecated.",
+                category=RemovedInDjango61Warning,
+                stacklevel=2,
+            )
+            await sync_to_async(self.process_request, thread_sensitive=True)(request)
+            return await self.get_response(request)
+        await self.aprocess_request(request)
+        return await self.get_response(request)
+
+    async def aprocess_request(self, request):
         # AuthenticationMiddleware is required so that request.user exists.
         if not hasattr(request, "user"):
             raise ImproperlyConfigured(
@@ -187,14 +209,14 @@ class RemoteUserMiddleware:
                 user = await request.auser()
                 if user.is_authenticated:
                     await self._aremove_invalid_user(request)
-            return await self.get_response(request)
+            return
         user = await request.auser()
         # If the user is already authenticated and that user is the user we are
         # getting passed in the headers, then the correct user is already
         # persisted in the session and we don't need to continue.
         if user.is_authenticated:
             if user.get_username() == self.clean_username(username, request):
-                return await self.get_response(request)
+                return
             else:
                 # An authenticated user is associated with the request, but
                 # it does not match the authorized user in the header.
@@ -209,8 +231,6 @@ class RemoteUserMiddleware:
             request.user = user
             await auth.alogin(request, user)
 
-        return await self.get_response(request)
-
     def clean_username(self, username, request):
         """
         Allow the backend to clean the username, if the backend defines a
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-05-20 17:12:25 +0200
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-05-23 10:24:09 +0200
commit	9db932ab4c4e0e85697719443247d229bf14db9a (patch)
tree	477f1a1ced8b10ab8d154ad3f0a943fc68cb20a3 /django
parent	cdd374939a3df497ff050e16663a73acb6cca899 (diff)