Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix AttributeError hiding on request authenticators #5600

Merged

Conversation

rpkilby
Copy link
Member

@rpkilby rpkilby commented Nov 16, 2017

Fixes #4033. There is an existing test for the issue, however there are a couple of issues:

  • No authentication middleware is used, so the request.user is never set. Because of this, __getattribute__ will re-raise the AttributeError. However, typical use does include an authentication middleware and will yield a user on the underlying request, as demonstrated by Suppressed AttributeError When Authenticating #4033.
  • The SessionMiddleware is applied to the DRF request object instead of the underlying Django request, which doesn't mirror how middleware is actually applied.

@rpkilby rpkilby added this to the v3.7.4 milestone Nov 16, 2017
@rpkilby rpkilby force-pushed the fix-authenticate-attributerror-hiding branch from 01f5ef5 to d69f44a Compare Nov 16, 2017
@rpkilby
Copy link
Member Author

rpkilby commented Nov 16, 2017

cc @magnus-staberg and @pelme

If you have the time, it would be great if you can verify that this PR fixes #4033 for you.

@rpkilby rpkilby force-pushed the fix-authenticate-attributerror-hiding branch from 16ec7ae to 746bb17 Compare Nov 16, 2017
# potentially hides AttributeError's raised in `_authenticate`.
if attr in ['user', 'auth']:
raise

Copy link
Collaborator

@carltongibson carltongibson Nov 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 For not doing this. 🙂

Copy link
Member Author

@rpkilby rpkilby Nov 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, wanted to demonstrate that this does not work.

Copy link
Collaborator

@carltongibson carltongibson left a comment

@rpkilby Great stuff!

I think we just need to document the existence of WrappedAttributeError — the why and what you'd do with it.

A good place for that would be in the Custom Authentication section.

@pelme
Copy link
Contributor

pelme commented Nov 22, 2017

@rpkilby we cannot really reproduce it now any more since our code has fixed the AttributeError and changed quite a bit since we originally reported this. But yes, just raising an AttributeError in authenticate() is enough to trigger it.

Looking at the PR and test I think this PR does the right thing :)

@rpkilby rpkilby force-pushed the fix-authenticate-attributerror-hiding branch from 746bb17 to ebd1e85 Compare Nov 22, 2017
@rpkilby rpkilby changed the title Fix request._authenticate AttributError hiding Fix request._authenticate AttributeError hiding Nov 22, 2017
@rpkilby rpkilby changed the title Fix request._authenticate AttributeError hiding Fix AttributeError hiding on request authenticators Nov 22, 2017
@carltongibson carltongibson merged commit c63e35c into encode:master Nov 23, 2017
1 check passed
@rpkilby rpkilby deleted the fix-authenticate-attributerror-hiding branch Nov 23, 2017
pchiquet pushed a commit to pchiquet/django-rest-framework that referenced this pull request Nov 17, 2020
* Update assertion style in user logout test

* Apply middlewares to django request object

* Fix test for request auth hiding AttributeErrors

* Re-raise/wrap auth attribute errors

* Fix test for py2k

* Add docs for WrappedAttributeError
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants