Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Fixed #17869 - security improvement to RemoteUserMiddleware #134

Closed
wants to merge 3 commits into from

3 participants

Sylvain Bouchard Jannis Leidel chrismedrela
Sylvain Bouchard
  • (On behalf of Paul McMillan) this is a minor security fix so it should be backported to 1.4

Fixed #17869

  • RemoteUserMiddleware forces logout when REMOTE_USER header disappears during a same browser session.
  • Added a test, and documentation for the 1.4.1 release.
Sylvain Bouchard Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…
…ader

disappears during a same browser session.

Added a test, and documentation for the 1.4.1 release.
8487613
Jannis Leidel
Owner

The changelog entry needs to be in 1.5.txt, too.

Sylvain Bouc... added some commits
Sylvain Bouchard Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…
…ader

disappears during a same browser session.

Added a test, and documentation for the 1.4.1 and 1.5 releases.
9dabaaa
Sylvain Bouchard Merge branch 'master' of github.com:bouchardsyl/django 189ed20
Sylvain Bouchard

Added changelog entry to 1.5.txt.

chrismedrela chrismedrela commented on the diff
docs/releases/1.5.txt
@@ -92,6 +92,9 @@ Django 1.5 also includes several smaller improvements worth noting:
* In the localflavor for Canada, "pq" was added to the acceptable codes for
Quebec. It's an old abbreviation.
+* RemoteUserMiddleware now forces logout when the REMOTE_USER header
+ disappears during a same browser session.

I afraid during a same is incorrect. I think that during the same is the correct one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Sylvain Bouchard bouchardsyl closed this
Sylvain Bouchard bouchardsyl reopened this
Sylvain Bouchard bouchardsyl closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jun 8, 2012
  1. Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…

    Sylvain Bouchard authored
    …ader
    
    disappears during a same browser session.
    
    Added a test, and documentation for the 1.4.1 release.
  2. Fixed #17869 - RemoteUserMiddleware forces logout when REMOTE_USER he…

    Sylvain Bouchard authored
    …ader
    
    disappears during a same browser session.
    
    Added a test, and documentation for the 1.4.1 and 1.5 releases.
  3. Merge branch 'master' of github.com:bouchardsyl/django

    Sylvain Bouchard authored
This page is out of date. Refresh to see the latest.
2  django/contrib/auth/middleware.py
View
@@ -50,6 +50,8 @@ def process_request(self, request):
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
+ if request.user.is_authenticated():
+ auth.logout(request)
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
18 django/contrib/auth/tests/remote_user.py
View
@@ -2,7 +2,7 @@
from django.conf import settings
from django.contrib.auth.backends import RemoteUserBackend
-from django.contrib.auth.models import User
+from django.contrib.auth.models import User, AnonymousUser
from django.test import TestCase
from django.utils import timezone
@@ -95,6 +95,22 @@ def test_last_login(self):
response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
self.assertEqual(default_login, response.context['user'].last_login)
+ def test_header_disappears(self):
+ """
+ Tests that a logged in user is logged out automatically when
+ the REMOTE_USER header disappears during the same browser session.
+ """
+ User.objects.create(username='knownuser')
+ User.objects.create(username='knownuser2')
+ num_users = User.objects.count()
+ # Known user authenticates
+ response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
+ self.assertEqual(response.context['user'].username, 'knownuser')
+ self.assertEqual(User.objects.count(), num_users)
+ # During the session, the REMOTE_USER header disappears. Should trigger logout.
+ response = self.client.get('/remote_user/')
+ self.assertEqual(type(response.context['user']), AnonymousUser)
+
def tearDown(self):
"""Restores settings to avoid breaking other tests."""
settings.MIDDLEWARE_CLASSES = self.curr_middleware
9 docs/releases/1.4.1.txt
View
@@ -0,0 +1,9 @@
+==========================
+Django 1.4.1 release notes
+==========================
+
+Fixed behaviour of RemoteUserMiddleware: force logout when the
+REMOTE_USER header disappears during a same browser session.
+
+.. _bug: https://code.djangoproject.com/ticket/17869
+
3  docs/releases/1.5.txt
View
@@ -92,6 +92,9 @@ Django 1.5 also includes several smaller improvements worth noting:
* In the localflavor for Canada, "pq" was added to the acceptable codes for
Quebec. It's an old abbreviation.
+* RemoteUserMiddleware now forces logout when the REMOTE_USER header
+ disappears during a same browser session.

I afraid during a same is incorrect. I think that during the same is the correct one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+
Backwards incompatible changes in 1.5
=====================================
Something went wrong with that request. Please try again.