innov
/
django1
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Fixed #23957 -- Started deprecation toward requiring session verification. 

Thanks Carl Meyer for review.
This commit is contained in:
Tim Graham 2014-12-04 11:56:30 -05:00
parent 1d3e41e1cf
commit b6ea059b4a
5 changed files with 82 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
django/conf/__init__.py
View File

@ -9,9 +9,11 @@ a list of all possible variables.
import importlib import importlib
import os import os
import time # Needed for Windows import time # Needed for Windows
import warnings
from django.conf import global_settings from django.conf import global_settings
from django.core.exceptions import ImproperlyConfigured from django.core.exceptions import ImproperlyConfigured
from django.utils.deprecation import RemovedInDjango20Warning
from django.utils.functional import LazyObject, empty from django.utils.functional import LazyObject, empty
from django.utils import six from django.utils import six
@ -110,6 +112,16 @@ class Settings(BaseSettings):
if not self.SECRET_KEY: if not self.SECRET_KEY:
raise ImproperlyConfigured("The SECRET_KEY setting must not be empty.") raise ImproperlyConfigured("The SECRET_KEY setting must not be empty.")
if ('django.contrib.auth.middleware.AuthenticationMiddleware' in self.MIDDLEWARE_CLASSES and
'django.contrib.auth.middleware.SessionAuthenticationMiddleware' not in self.MIDDLEWARE_CLASSES):
warnings.warn(
"Session verification will become mandatory in Django 2.0. "
"Please add 'django.contrib.auth.middleware.SessionAuthenticationMiddleware' "
"to your MIDDLEWARE_CLASSES setting when you are ready to opt-in after "
"reading the upgrade considerations in the 1.8 release notes.",
RemovedInDjango20Warning
)
if hasattr(time, 'tzset') and self.TIME_ZONE: if hasattr(time, 'tzset') and self.TIME_ZONE:
# When we can, attempt to validate the timezone. If we can't find # When we can, attempt to validate the timezone. If we can't find
# this file, no check happens and it's harmless. # this file, no check happens and it's harmless.

4
docs/internals/deprecation.txt
View File

@ -95,6 +95,10 @@ details on these changes.
* ``django.shortcuts.render()`` * ``django.shortcuts.render()``
* ``django.shortcuts.render_to_response()`` * ``django.shortcuts.render_to_response()``
* Session verification will be enabled regardless of whether or not
``'django.contrib.auth.middleware.SessionAuthenticationMiddleware'`` is in
``MIDDLEWARE_CLASSES``.
.. _deprecation-removed-in-1.9: .. _deprecation-removed-in-1.9:
1.9 1.9

15
docs/releases/1.8.txt
View File

@ -1158,6 +1158,21 @@ The default value of the
:attr:`RedirectView.permanent <django.views.generic.base.RedirectView.permanent>` :attr:`RedirectView.permanent <django.views.generic.base.RedirectView.permanent>`
attribute will change from ``True`` to ``False`` in Django 1.9. attribute will change from ``True`` to ``False`` in Django 1.9.
Using ``AuthenticationMiddleware`` without ``SessionAuthenticationMiddleware``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:class:`django.contrib.auth.middleware.SessionAuthenticationMiddleware` was
added in Django 1.7. In Django 1.7.2, its functionality was moved to
``auth.get_user()`` and, for backwards compatibility, enabled only if
``'django.contrib.auth.middleware.SessionAuthenticationMiddleware'`` appears in
:setting:`MIDDLEWARE_CLASSES`.
In Django 2.0, session verification will be enabled regardless of whether or not
``SessionAuthenticationMiddleware`` is enabled (at which point
``SessionAuthenticationMiddleware`` will have no significance). You can add it
to your ``MIDDLEWARE_CLASSES`` sometime before then to opt-in. Please read the
:ref:`upgrade considerations <session-invalidation-on-password-change>` first.
.. removed-features-1.8: .. removed-features-1.8:
Features removed in 1.8 Features removed in 1.8

6
docs/topics/auth/default.txt
View File

@ -612,6 +612,12 @@ Session invalidation on password change
is enabled in :setting:`MIDDLEWARE_CLASSES`. It's included if is enabled in :setting:`MIDDLEWARE_CLASSES`. It's included if
``settings.py`` was generated by :djadmin:`startproject` on Django ≥ 1.7. ``settings.py`` was generated by :djadmin:`startproject` on Django ≥ 1.7.
Session verification will become mandatory in Django 2.0 regardless of
whether or not ``SessionAuthenticationMiddleware`` is enabled. If you have
a pre-1.7 project or one generated using a template that doesn't include
``SessionAuthenticationMiddleware``, consider enabling it before then after
reading the upgrade considerations below.
If your :setting:`AUTH_USER_MODEL` inherits from If your :setting:`AUTH_USER_MODEL` inherits from
:class:`~django.contrib.auth.models.AbstractBaseUser` or implements its own :class:`~django.contrib.auth.models.AbstractBaseUser` or implements its own
:meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()` :meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()`

45
tests/settings_tests/tests.py
View File

@ -10,6 +10,7 @@ from django.http import HttpRequest
from django.test import (SimpleTestCase, TransactionTestCase, TestCase, from django.test import (SimpleTestCase, TransactionTestCase, TestCase,
modify_settings, override_settings, signals) modify_settings, override_settings, signals)
from django.utils import six from django.utils import six
from django.utils.encoding import force_text
@modify_settings(ITEMS={ @modify_settings(ITEMS={
@ -464,3 +465,47 @@ class TestTupleSettings(unittest.TestCase):
finally: finally:
del sys.modules['fake_settings_module'] del sys.modules['fake_settings_module']
delattr(settings_module, setting) delattr(settings_module, setting)
class TestSessionVerification(unittest.TestCase):
def setUp(self):
self.settings_module = ModuleType('fake_settings_module')
self.settings_module.SECRET_KEY = 'foo'
def tearDown(self):
if 'fake_settings_module' in sys.modules:
del sys.modules['fake_settings_module']
def test_session_verification_deprecation_no_verification(self):
self.settings_module.MIDDLEWARE_CLASSES = ['django.contrib.auth.middleware.AuthenticationMiddleware']
sys.modules['fake_settings_module'] = self.settings_module
with warnings.catch_warnings(record=True) as warn:
warnings.filterwarnings('always')
Settings('fake_settings_module')
self.assertEqual(
force_text(warn[0].message),
"Session verification will become mandatory in Django 2.0. "
"Please add 'django.contrib.auth.middleware.SessionAuthenticationMiddleware' "
"to your MIDDLEWARE_CLASSES setting when you are ready to opt-in after "
"reading the upgrade considerations in the 1.8 release notes.",
)
def test_session_verification_deprecation_both(self):
self.settings_module.MIDDLEWARE_CLASSES = [
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
]
sys.modules['fake_settings_module'] = self.settings_module
with warnings.catch_warnings(record=True) as warn:
warnings.filterwarnings('always')
Settings('fake_settings_module')
self.assertEqual(len(warn), 0)
def test_session_verification_deprecation_neither(self):
self.settings_module.MIDDLEWARE_CLASSES = []
sys.modules['fake_settings_module'] = self.settings_module
with warnings.catch_warnings(record=True) as warn:
warnings.filterwarnings('always')
Settings('fake_settings_module')
self.assertEqual(len(warn), 0)