Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Fixed #17869 - security improvement to RemoteUserMiddleware #134

Closed
wants to merge 3 commits into from

3 participants

@bouchardsyl
  • (On behalf of Paul McMillan) this is a minor security fix so it should be backported to 1.4

Fixed #17869

  • RemoteUserMiddleware forces logout when REMOTE_USER header disappears during a same browser session.
  • Added a test, and documentation for the 1.4.1 release.
Sylvain Bouchard Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…
…ader

disappears during a same browser session.

Added a test, and documentation for the 1.4.1 release.
8487613
@jezdez
Owner

The changelog entry needs to be in 1.5.txt, too.

Sylvain Bouc... added some commits
Sylvain Bouchard Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…
…ader

disappears during a same browser session.

Added a test, and documentation for the 1.4.1 and 1.5 releases.
9dabaaa
Sylvain Bouchard Merge branch 'master' of github.com:bouchardsyl/django 189ed20
@bouchardsyl

Added changelog entry to 1.5.txt.

@chrismedrela chrismedrela commented on the diff
docs/releases/1.5.txt
@@ -92,6 +92,9 @@ Django 1.5 also includes several smaller improvements worth noting:
* In the localflavor for Canada, "pq" was added to the acceptable codes for
Quebec. It's an old abbreviation.
+* RemoteUserMiddleware now forces logout when the REMOTE_USER header
+ disappears during a same browser session.

I afraid during a same is incorrect. I think that during the same is the correct one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@bouchardsyl bouchardsyl closed this
@bouchardsyl bouchardsyl reopened this
@bouchardsyl bouchardsyl closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jun 8, 2012
  1. Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…

    Sylvain Bouchard authored
    …ader
    
    disappears during a same browser session.
    
    Added a test, and documentation for the 1.4.1 release.
  2. Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…

    Sylvain Bouchard authored
    …ader
    
    disappears during a same browser session.
    
    Added a test, and documentation for the 1.4.1 and 1.5 releases.
  3. Merge branch 'master' of github.com:bouchardsyl/django

    Sylvain Bouchard authored
This page is out of date. Refresh to see the latest.
View
2  django/contrib/auth/middleware.py
@@ -50,6 +50,8 @@ def process_request(self, request):
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
+ if request.user.is_authenticated():
+ auth.logout(request)
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
View
18 django/contrib/auth/tests/remote_user.py
@@ -2,7 +2,7 @@
from django.conf import settings
from django.contrib.auth.backends import RemoteUserBackend
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, AnonymousUser
from django.test import TestCase
from django.utils import timezone
@@ -95,6 +95,22 @@ def test_last_login(self):
response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
self.assertEqual(default_login, response.context['user'].last_login)
+ def test_header_disappears(self):
+ """
+ Tests that a logged in user is logged out automatically when
+ the REMOTE_USER header disappears during the same browser session.
+ """
+ User.objects.create(username='knownuser')
+ User.objects.create(username='knownuser2')
+ num_users = User.objects.count()
+ # Known user authenticates
+ response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
+ self.assertEqual(response.context['user'].username, 'knownuser')
+ self.assertEqual(User.objects.count(), num_users)
+ # During the session, the REMOTE_USER header disappears. Should trigger logout.
+ response = self.client.get('/remote_user/')
+ self.assertEqual(type(response.context['user']), AnonymousUser)
+
def tearDown(self):
"""Restores settings to avoid breaking other tests."""
settings.MIDDLEWARE_CLASSES = self.curr_middleware
View
9 docs/releases/1.4.1.txt
@@ -0,0 +1,9 @@
+==========================
+Django 1.4.1 release notes
+==========================
+
+Fixed behaviour of RemoteUserMiddleware: force logout when the
+REMOTE_USER header disappears during a same browser session.
+
+.. _bug: https://code.djangoproject.com/ticket/17869
+
View
3  docs/releases/1.5.txt
@@ -92,6 +92,9 @@ Django 1.5 also includes several smaller improvements worth noting:
* In the localflavor for Canada, "pq" was added to the acceptable codes for
Quebec. It's an old abbreviation.
+* RemoteUserMiddleware now forces logout when the REMOTE_USER header
+ disappears during a same browser session.

I afraid during a same is incorrect. I think that during the same is the correct one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+
Backwards incompatible changes in 1.5
=====================================
Something went wrong with that request. Please try again.