Fix AttributeError hiding on request authenticators by rpkilby · Pull Request #5600 · encode/django-rest-framework (original) (raw)

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation5 Commits6 Checks0 Files changed

Conversation

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

Fixes #4033. There is an existing test for the issue, however there are a couple of issues:

No authentication middleware is used, so the request.user is never set. Because of this, __getattribute__ will re-raise the AttributeError. However, typical use does include an authentication middleware and will yield a user on the underlying request, as demonstrated by Suppressed AttributeError When Authenticating #4033.
The SessionMiddleware is applied to the DRF request object instead of the underlying Django request, which doesn't mirror how middleware is actually applied.

rpkilby added this to the v3.7.4 milestone

Nov 16, 2017

This was referenced

Nov 16, 2017

cc @magnus-staberg and @pelme

If you have the time, it would be great if you can verify that this PR fixes #4033 for you.

# potentially hides AttributeError's raised in `_authenticate`.
if attr in ['user', 'auth']:
raise

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 For not doing this. 🙂

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, wanted to demonstrate that this does not work.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rpkilby Great stuff!

I think we just need to document the existence of WrappedAttributeError — the why and what you'd do with it.

A good place for that would be in the Custom Authentication section.

@rpkilby we cannot really reproduce it now any more since our code has fixed the AttributeError and changed quite a bit since we originally reported this. But yes, just raising an AttributeError in authenticate() is enough to trigger it.

Looking at the PR and test I think this PR does the right thing :)

Ryan P Kilby added 5 commits

November 22, 2017 17:00

rpkilby changed the title~~Fix request._authenticate AttributError hiding~~ Fix request._authenticate AttributeError hiding

Nov 22, 2017

rpkilby changed the title~~Fix request._authenticate AttributeError hiding~~ Fix AttributeError hiding on request authenticators

Nov 22, 2017

rpkilby deleted the fix-authenticate-attributerror-hiding branch

November 23, 2017 07:58

pchiquet pushed a commit to pchiquet/django-rest-framework that referenced this pull request

Nov 17, 2020

Update assertion style in user logout test
Apply middlewares to django request object
Fix test for request auth hiding AttributeErrors
Re-raise/wrap auth attribute errors
Fix test for py2k
Add docs for WrappedAttributeError