New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix #5016 - Views mutate user object when using force_request #5066
Conversation
@@ -22,7 +23,7 @@ | |||
|
|||
|
|||
def force_authenticate(request, user=None, token=None): | |||
request._force_auth_user = user | |||
request._force_auth_user = copy.deepcopy(user) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a little concerned about the use of deepcopy here. It's pretty much magic, and there's no guarantee that it might not fail in some cases (user can be a custom model, or have been modified by middleware, and might have almost anything stored in state on it)
I'm not sure what the best action is here. Perhaps we should catch exceptions and fall back to simply assigning user
, tho that seems problematic too.
Perhaps I'm being overly cautious about the possibility of deepcopy
failing here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've ran into some weird issues recently with deepcopy
in regards to the request
object. Although it'd be unusual, it's not inconceivable that the request would be somehow accessible from the user via an authenticator or middleware, which deepcopy
would pick up. I'm also hesitant about deepcopy
here.
Although, if this is happening before any middleware or authenticator machinery, then it's probably fine?
One comment for open discussion. |
On balance I'd say let's accept this, but defer it to the 3.7 release, rather than introduce it in a minor release. |
@tomchristie We can have this — with #4102 tests are there — but just wondering if a note in the docs saying "You may need to call This was from the issue:
But here we know (What do you think?) |
@carltongibson I think i'd prefer that, yup - good call. |
OK. I'll make it so. |
…in case you’re reusing the same in-memory user whilst updating it in the DB. Closes encode#5016, closes encode#5066, closes encode#4102
PR will fix issue - #5016