-
-
Notifications
You must be signed in to change notification settings - Fork 773
Commit
…und to an user. ref issue #38
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -293,7 +293,7 @@ def save_bearer_token(self, token, request, *args, **kwargs): | |
|
||
expires = timezone.now() + timedelta(seconds=oauth2_settings.ACCESS_TOKEN_EXPIRE_SECONDS) | ||
if request.grant_type == 'client_credentials': | ||
request.user = request.client.user | ||
request.user = None | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
synasius
Author
Contributor
|
||
|
||
access_token = AccessToken( | ||
user=request.user, | ||
|
Please explain me, why was this implemented by clearing the user on request object, instead of just making sure to not store the user in the created AccessToken and RefreshToken?
In the current version this validation method has a side effect of removing the current user from request, which is IMHO unacceptable given that the request object is not owned by this class, nor by the OAuth lib in general