Fix some request.user and request.session docs mentions

Author: davegaeddert

plain-api/plain/api/README.md

@@ -20,6 +20,7 @@ Because [Views](/plain/plain/views/README.md) can convert built-in types to resp
 ```python
 # app/api/views.py
 from plain.api.views import APIKeyView, APIView
+from plain.auth import get_request_user, set_request_user
 from plain.http import JsonResponse
 from plain.views.exeptions import ResponseException
 
@@ -33,7 +34,7 @@ class BaseAPIView(APIView, APIKeyView):
         super().use_api_key()
 
         if user := self.api_key.users.first():
-            self.request.user = user
+            set_request_user(self.request, user)
         else:
             raise ResponseException(
                 JsonResponse(
@@ -46,10 +47,11 @@ class BaseAPIView(APIView, APIKeyView):
 # An endpoint that returns the current user
 class UserView(BaseAPIView):
     def get(self):
+        user = get_request_user(self.request)
         return {
-            "uuid": self.request.user.uuid,
-            "username": self.request.user.username,
-            "time_zone": str(self.request.user.time_zone),
+            "uuid": user.uuid,
+            "username": user.username,
+            "time_zone": str(user.time_zone),
         }
 
 
@@ -59,7 +61,7 @@ class PullRequestView(BaseAPIView):
         try:
             pull = (
                 PullRequest.query.all()
-                .visible_to_user(self.request.user)
+                .visible_to_user(get_request_user(self.request))
                 .get(uuid=self.url_kwargs["uuid"])
             )
         except PullRequest.DoesNotExist:
@@ -104,10 +106,12 @@ Handling authentication in the API is pretty straightforward. If you use [API ke
 ```python
 class BaseAPIView(APIView, APIKeyView):
     def use_api_key(self):
+        from plain.auth import set_request_user
+
         super().use_api_key()
 
         if user := self.api_key.users.first():
-            self.request.user = user
+            set_request_user(self.request, user)
         else:
             raise ResponseException(
                 JsonResponse(
@@ -122,10 +126,12 @@ When it comes to authorizing actions, typically you will factor this in to the q
 ```python
 class PullRequestView(BaseAPIView):
     def get(self):
+        from plain.auth import get_request_user
+
         try:
             pull = (
                 PullRequest.query.all()
-                .visible_to_user(self.request.user)
+                .visible_to_user(get_request_user(self.request))
                 .get(uuid=self.url_kwargs["uuid"])
             )
         except PullRequest.DoesNotExist:
@@ -149,9 +155,11 @@ class UserForm(ModelForm):
 
 class UserView(BaseAPIView):
     def patch(self):
+        from plain.auth import get_request_user
+
         form = UserForm(
             request=self.request,
-            instance=self.request.user,
+            instance=get_request_user(self.request),
         )
 
         if form.is_valid():
@@ -174,10 +182,12 @@ Deletes can be handled in the `delete` method of the view. Most of the time this
 ```python
 class PullRequestView(BaseAPIView):
     def delete(self):
+        from plain.auth import get_request_user
+
         try:
             pull = (
                 PullRequest.query.all()
-                .visible_to_user(self.request.user)
+                .visible_to_user(get_request_user(self.request))
                 .get(uuid=self.url_kwargs["uuid"])
             )
         except PullRequest.DoesNotExist:
@@ -229,19 +239,20 @@ user.api_key = APIKey.query.create()
 user.save()
 ```
 
-To use API keys in your views, you can inherit from `APIKeyView` and customize the [`use_api_key`](./views.py#use_api_key) method to set the `request.user` attribute (or any other attribute) to the object associated with the API key.
+To use API keys in your views, you can inherit from `APIKeyView` and customize the [`use_api_key`](./views.py#use_api_key) method to associate the request with a user (or any other object) using `set_request_user()`.
 
 ```python
 # app/api/views.py
 from plain.api.views import APIKeyView, APIView
+from plain.auth import set_request_user
 
 
 class BaseAPIView(APIView, APIKeyView):
     def use_api_key(self):
         super().use_api_key()
 
         if user := self.api_key.users.first():
-            self.request.user = user
+            set_request_user(self.request, user)
         else:
             raise ResponseException(
                 JsonResponse(
@@ -292,9 +303,10 @@ class CurrentUserAPIView(BaseAPIView):
         "summary": "Get current user",
     })
     def get(self):
-        if self.request.user:
-            user = self.request.user
-        else:
+        from plain.auth import get_request_user
+
+        user = get_request_user(self.request)
+        if not user:
             raise Http404
 
         return schemas.UserSchema.from_user(user, self.request)
@@ -325,9 +337,10 @@ class TeamAccountAPIView(BaseAPIView):
                     team__organization=self.organization, uuid=self.url_kwargs["uuid"]
                 )
 
-            if self.request.user:
+            user = get_request_user(self.request)
+            if user:
                 return TeamAccount.query.get(
-                    team__organization__in=self.request.user.organizations.all(),
+                    team__organization__in=user.organizations.all(),
                     uuid=self.url_kwargs["uuid"],
                 )
         except TeamAccount.DoesNotExist:

plain-auth/plain/auth/README.md

@@ -17,8 +17,11 @@ The `plain.auth` package provides user authentication and authorization for Plai
 
 ```python
 # In a view
-if request.user:
-    print(f"Hello, {request.user.email}!")
+from plain.auth import get_request_user
+
+user = get_request_user(request)
+if user:
+    print(f"Hello, {user.email}!")
 else:
     print("You are not logged in.")
 ```
@@ -33,7 +36,7 @@ class ProfileView(AuthViewMixin, View):
     login_required = True
 
     def get(self):
-        return f"Welcome, {self.request.user.email}!"
+        return f"Welcome, {self.user.email}!"
 ```
 
 ## Authentication setup
@@ -108,23 +111,24 @@ urlpatterns = [
 
 ## Checking if a user is logged in
 
-A `request.user` will either be `None` or point to an instance of your `AUTH_USER_MODEL`.
-
-In templates:
+In templates, use the `get_current_user()` function:
 
 ```html
-{% if request.user %}
-    <p>Hello, {{ request.user.email }}!</p>
+{% if get_current_user() %}
+    <p>Hello, {{ get_current_user().email }}!</p>
 {% else %}
     <p>You are not logged in.</p>
 {% endif %}
 ```
 
-In Python code:
+In Python code, use `get_request_user()`:
 
 ```python
-if request.user:
-    print(f"Hello, {request.user.email}!")
+from plain.auth import get_request_user
+
+user = get_request_user(request)
+if user:
+    print(f"Hello, {user.email}!")
 else:
     print("You are not logged in.")
 ```
@@ -151,7 +155,7 @@ class AdminOnlyView(AuthViewMixin, View):
 class CustomPermissionView(AuthViewMixin, View):
     def check_auth(self):
         super().check_auth()
-        if not self.request.user.is_special:
+        if not self.user.is_special:
             raise PermissionDenied("You're not special!")
 ```
 

plain-flags/plain/flags/README.md

@@ -37,7 +37,7 @@ class FooEnabled(Flag):
 Use flags in HTML templates:
 
 ```html
-{% if flags.FooEnabled(request.user) %}
+{% if flags.FooEnabled(get_current_user()) %}
     <p>Foo is enabled for you!</p>
 {% else %}
     <p>Foo is disabled for you.</p>

plain-htmx/plain/htmx/README.md

@@ -202,7 +202,7 @@ Then in the view class, we can define methods for each HTTP method + `plain-hx-a
 class PullRequestDetailView(HTMXViewMixin, DetailView):
     def get_queryset(self):
         # The queryset will apply to all actions on the view, so "permission" logic can be shared
-        return super().get_queryset().filter(users=self.request.user)
+        return super().get_queryset().filter(users=self.user)
 
     # Action handling methods follow this format:
     # htmx_{method}_{action}
@@ -251,7 +251,7 @@ this can basically all be done through standard request and response headers:
 class PullRequestDetailView(HTMXViewMixin, DetailView):
     def get_queryset(self):
         # The queryset will apply to all actions on the view, so "permission" logic can be shared
-        return super().get_queryset().filter(users=self.request.user)
+        return super().get_queryset().filter(users=self.user)
 
     # You can also leave off the "plain-hx-action" attribute and just handle the HTTP method
     def htmx_delete(self):

plain-models/plain/models/fields/related_descriptors.py

@@ -199,9 +199,9 @@ def __set__(self, instance, value):
         - ``instance`` is the ``child`` instance
         - ``value`` is the ``parent`` instance on the right of the equal sign
         """
-        # If value is a LazyObject (like SimpleLazyObject used for request.user),
-        # force its evaluation. For ForeignKey fields, the value should only be
-        # None or a model instance, never a boolean or other type.
+        # If value is a LazyObject, force its evaluation. For ForeignKey fields,
+        # the value should only be None or a model instance, never a boolean or
+        # other type.
         if isinstance(value, LazyObject):
             # This forces evaluation: if it's None, value becomes None;
             # if it's a User instance, value becomes that instance.

plain-oauth/plain/oauth/README.md

@@ -182,11 +182,11 @@ Here's an very basic example:
 {% extends "base.html" %}
 
 {% block content %}
-Hello {{ request.user }}!
+Hello {{ get_current_user() }}!
 
 <h2>Existing connections</h2>
 <ul>
-    {% for connection in request.user.oauth_connections.all %}
+    {% for connection in get_current_user().oauth_connections.all %}
     <li>
         {{ connection.provider_key }} [ID: {{ connection.provider_user_id }}]
         <form action="{% url 'oauth:disconnect' connection.provider_key %}" method="post">

plain-pages/plain/pages/README.md

@@ -56,7 +56,7 @@ title: Features
 ---
 
 <h1>{{ page.title }}</h1>
-<p>Current user: {{ request.user }}</p>
+<p>Current user: {{ get_current_user() }}</p>
 ```
 
 ### Markdown pages

plain-sessions/plain/sessions/README.md

@@ -20,28 +20,38 @@ Sessions are implemented as a dictionary-like object that automatically handles
 
 ## Basic usage
 
-Sessions are automatically available on request objects when the middleware is installed. You can use `request.session` like a standard Python dictionary:
+In views that inherit from `SessionViewMixin`, you can use `self.session` like a standard Python dictionary:
 
 ```python
+from plain.sessions.views import SessionViewMixin
 from plain.views import View
 
-class MyView(View):
+class MyView(SessionViewMixin, View):
     def get(self):
         # Store values in the session
-        self.request.session['username'] = 'jane'
-        self.request.session['cart_items'] = [1, 2, 3]
+        self.session['username'] = 'jane'
+        self.session['cart_items'] = [1, 2, 3]
 
         # Retrieve values from the session
-        username = self.request.session.get('username')
-        cart_items = self.request.session.get('cart_items', [])
+        username = self.session.get('username')
+        cart_items = self.session.get('cart_items', [])
 
         # Check if a key exists
-        if 'username' in self.request.session:
+        if 'username' in self.session:
             # User has a session
             pass
 
         # Delete values from the session
-        del self.request.session['cart_items']
+        del self.session['cart_items']
+```
+
+Outside of views, you can use `get_request_session()`:
+
+```python
+from plain.sessions import get_request_session
+
+session = get_request_session(request)
+session['key'] = 'value'
 ```
 
 The session data is automatically saved when you set or delete values. Sessions are stored in the database using the [`Session`](./models.py#Session) model.
@@ -89,23 +99,41 @@ The [`SessionStore`](./core.py#SessionStore) class provides additional methods f
 To completely remove the current session data and regenerate the session key:
 
 ```python
-# Delete all session data and get a new session key
-request.session.flush()
+# In a view with SessionViewMixin
+self.session.flush()
+
+# Outside a view
+from plain.sessions import get_request_session
+session = get_request_session(request)
+session.flush()
 ```
 
 ### Cycling session keys
 
 To create a new session key while retaining the current session data (useful for security purposes):
 
 ```python
-# Keep the data but change the session key
-request.session.cycle_key()
+# In a view with SessionViewMixin
+self.session.cycle_key()
+
+# Outside a view
+from plain.sessions import get_request_session
+session = get_request_session(request)
+session.cycle_key()
 ```
 
 ### Checking if session is empty
 
 ```python
-if request.session.is_empty():
+# In a view with SessionViewMixin
+if self.session.is_empty():
+    # No session data exists
+    pass
+
+# Outside a view
+from plain.sessions import get_request_session
+session = get_request_session(request)
+if session.is_empty():
     # No session data exists
     pass
 ```

plain-toolbar/README.md

@@ -31,4 +31,4 @@ Add the toolbar to your base template:
 </html>
 ```
 
-The toolbar will appear when `settings.DEBUG` is True or when `request.user.is_admin` is True.
+The toolbar will appear when `settings.DEBUG` is True or when the authenticated user has `is_admin` set to True.