Remove user and session from request attributes

Author: davegaeddert

demos/full/app/settings.py

@@ -34,7 +34,6 @@
 
 MIDDLEWARE = [
     "plain.sessions.middleware.SessionMiddleware",
-    "plain.auth.middleware.AuthenticationMiddleware",
     "plain.admin.AdminMiddleware",
 ]
 

plain-admin/plain/admin/README.md

@@ -141,7 +141,6 @@ AUTH_LOGIN_URL = "login"
 
 MIDDLEWARE = [
     "plain.sessions.middleware.SessionMiddleware",
-    "plain.auth.middleware.AuthenticationMiddleware",
     "plain.admin.AdminMiddleware",
 ]
 ```

plain-admin/plain/admin/impersonate/__init__.py

@@ -1,3 +1,7 @@
 from .middleware import ImpersonateMiddleware
+from .requests import get_request_impersonator
 
-__all__ = ["ImpersonateMiddleware"]
+__all__ = [
+    "ImpersonateMiddleware",
+    "get_request_impersonator",
+]

plain-admin/plain/admin/impersonate/constants.py

@@ -0,0 +1 @@
+IMPERSONATE_SESSION_KEY = "impersonate"

plain-admin/plain/admin/impersonate/middleware.py

@@ -1,8 +1,11 @@
 from plain.auth import get_user_model
+from plain.auth.requests import get_request_user, set_request_user
 from plain.http import ResponseForbidden
+from plain.sessions import get_request_session
 
+from .constants import IMPERSONATE_SESSION_KEY
 from .permissions import can_be_impersonator, can_impersonate_user
-from .views import IMPERSONATE_KEY
+from .requests import set_request_impersonator
 
 
 def get_user_by_id(id):
@@ -19,20 +22,24 @@ def __init__(self, get_response):
         self.get_response = get_response
 
     def __call__(self, request):
+        session = get_request_session(request)
+        user = get_request_user(request)
+
         if (
-            IMPERSONATE_KEY in request.session
-            and request.user
-            and can_be_impersonator(request.user)
+            session
+            and IMPERSONATE_SESSION_KEY in session
+            and user
+            and can_be_impersonator(user)
         ):
-            user_to_impersonate = get_user_by_id(request.session[IMPERSONATE_KEY])
+            user_to_impersonate = get_user_by_id(session[IMPERSONATE_SESSION_KEY])
             if user_to_impersonate:
-                if not can_impersonate_user(request.user, user_to_impersonate):
+                if not can_impersonate_user(user, user_to_impersonate):
                     # Can't impersonate this user, remove it and show an error
-                    del request.session[IMPERSONATE_KEY]
+                    del session[IMPERSONATE_SESSION_KEY]
                     return ResponseForbidden()
 
                 # Finally, change the request user and keep a reference to the original
-                request.impersonator = request.user
-                request.user = user_to_impersonate
+                set_request_impersonator(request, user)
+                set_request_user(request, user_to_impersonate)
 
         return self.get_response(request)

plain-admin/plain/admin/impersonate/requests.py

@@ -0,0 +1,22 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+from weakref import WeakKeyDictionary
+
+if TYPE_CHECKING:
+    from plain.auth import get_user_model
+    from plain.http import Request
+
+    User = get_user_model()
+
+_request_impersonators: WeakKeyDictionary[Request, User] = WeakKeyDictionary()
+
+
+def set_request_impersonator(request: Request, impersonator: User) -> None:
+    """Store the impersonator (original user) for this request."""
+    _request_impersonators[request] = impersonator
+
+
+def get_request_impersonator(request: Request) -> User | None:
+    """Get the impersonator (original user) for this request, if any."""
+    return _request_impersonators.get(request)

plain-admin/plain/admin/impersonate/views.py

@@ -1,23 +1,25 @@
+from plain.auth.views import AuthViewMixin
 from plain.http import ResponseForbidden, ResponseRedirect
+from plain.sessions.views import SessionViewMixin
 from plain.views import View
 
+from .constants import IMPERSONATE_SESSION_KEY
 from .permissions import can_be_impersonator
+from .requests import get_request_impersonator
 
-IMPERSONATE_KEY = "impersonate"
 
-
-class ImpersonateStartView(View):
+class ImpersonateStartView(AuthViewMixin, View):
     def get(self):
         # We *could* already be impersonating, so need to consider that
-        impersonator = getattr(self.request, "impersonator", self.request.user)
+        impersonator = get_request_impersonator(self.request) or self.user
         if impersonator and can_be_impersonator(impersonator):
-            self.request.session[IMPERSONATE_KEY] = self.url_kwargs["id"]
+            self.session[IMPERSONATE_SESSION_KEY] = self.url_kwargs["id"]
             return ResponseRedirect(self.request.query_params.get("next", "/"))
 
         return ResponseForbidden()
 
 
-class ImpersonateStopView(View):
+class ImpersonateStopView(SessionViewMixin, View):
     def get(self):
-        self.request.session.pop(IMPERSONATE_KEY)
+        self.session.pop(IMPERSONATE_SESSION_KEY)
         return ResponseRedirect(self.request.query_params.get("next", "/"))

plain-admin/plain/admin/templates/admin/base.html

@@ -166,11 +166,11 @@
             <div class="mt-8 flex flex-col text-sm pb-3 pt-3 text-stone-400 sticky bottom-0 bg-stone-950/95 pl-3.5 pr-5">
                 <div class="flex items-center justify-between space-x-1.5">
                     <div class="flex items-center truncate">
-                        {% set gravatar_url = get_gravatar_url(request.user) %}
+                        {% set gravatar_url = get_gravatar_url(user) %}
                         {% if gravatar_url %}
                             <img
                                 src="{{ gravatar_url }}"
-                                alt="{{ request.user }}"
+                                alt="{{ user }}"
                                 class="w-5 h-5 mr-1.5 flex-shrink-0 rounded-full"
                             />
                         {% else %}
@@ -180,7 +180,7 @@
                             </svg>
                         {% endif %}
                         <span class="truncate">
-                            {{ request.user }}
+                            {{ user }}
                         </span>
                     </div>
                     <form method="POST" action="{{ url('logout') }}" class="flex items-center flex-shrink-0 ml-2">

plain-admin/plain/admin/templates/admin/toolbar/button.html

@@ -1,7 +1,7 @@
 <div class="flex items-center space-x-1">
-    {% if request.impersonator is defined %}
+    {% if impersonator %}
     <div class="flex items-center font-light">
-        Impersonating&nbsp;<span class="font-medium">{{ request.user }}</span>
+        Impersonating&nbsp;<span class="font-medium">{{ user }}</span>
         <a href="{{ url('admin:impersonate:stop') }}" title="Stop impersonating" class="flex items-center px-1 ml-1 text-red-300 hover:text-white">
             <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="w-4 h-4 bi bi-x-octagon-fill" viewBox="0 0 16 16">
                 <path d="M11.46.146A.5.5 0 0 0 11.107 0H4.893a.5.5 0 0 0-.353.146L.146 4.54A.5.5 0 0 0 0 4.893v6.214a.5.5 0 0 0 .146.353l4.394 4.394a.5.5 0 0 0 .353.146h6.214a.5.5 0 0 0 .353-.146l4.394-4.394a.5.5 0 0 0 .146-.353V4.893a.5.5 0 0 0-.146-.353L11.46.146zm-6.106 4.5L8 7.293l2.646-2.647a.5.5 0 0 1 .708.708L8.707 8l2.647 2.646a.5.5 0 0 1-.708.708L8 8.707l-2.646 2.647a.5.5 0 0 1-.708-.708L7.293 8 4.646 5.354a.5.5 0 1 1 .708-.708z"/>

plain-admin/plain/admin/toolbar.py

@@ -1,5 +1,6 @@
 from plain.toolbar import ToolbarItem, register_toolbar_item
 
+from .impersonate import get_request_impersonator
 from .views.registry import registry
 
 
@@ -15,4 +16,5 @@ def get_template_context(self):
             obj = context["object"]
             context["object_admin_url"] = registry.get_model_detail_url(obj)
             context["object_class_name"] = obj.__class__.__name__
+        context["impersonator"] = get_request_impersonator(self.request)
         return context