p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #23957 -- Started deprecation toward requiring session verification. 

Thanks Carl Meyer for review.
This commit is contained in:
Tim Graham 2014-12-04 11:56:30 -05:00
parent 1d3e41e1cf
commit b6ea059b4a
5 changed files with 82 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
django/conf/__init__.py
View File

@ -9,9 +9,11 @@ a list of all possible variables.
import importlib
import os
import time # Needed for Windows
import warnings
from django.conf import global_settings
from django.core.exceptions import ImproperlyConfigured
from django.utils.deprecation import RemovedInDjango20Warning
from django.utils.functional import LazyObject, empty
from django.utils import six
@ -110,6 +112,16 @@ class Settings(BaseSettings):
if not self.SECRET_KEY:
raise ImproperlyConfigured("The SECRET_KEY setting must not be empty.")
if ('django.contrib.auth.middleware.AuthenticationMiddleware' in self.MIDDLEWARE_CLASSES and
'django.contrib.auth.middleware.SessionAuthenticationMiddleware' not in self.MIDDLEWARE_CLASSES):
warnings.warn(
"Session verification will become mandatory in Django 2.0. "
"Please add 'django.contrib.auth.middleware.SessionAuthenticationMiddleware' "
"to your MIDDLEWARE_CLASSES setting when you are ready to opt-in after "
"reading the upgrade considerations in the 1.8 release notes.",
RemovedInDjango20Warning
)
if hasattr(time, 'tzset') and self.TIME_ZONE:
# When we can, attempt to validate the timezone. If we can't find
# this file, no check happens and it's harmless.

4
docs/internals/deprecation.txt
View File

@ -95,6 +95,10 @@ details on these changes.
* ``django.shortcuts.render()``
* ``django.shortcuts.render_to_response()``
* Session verification will be enabled regardless of whether or not
``'django.contrib.auth.middleware.SessionAuthenticationMiddleware'`` is in
``MIDDLEWARE_CLASSES``.
.. _deprecation-removed-in-1.9:
1.9

15
docs/releases/1.8.txt
View File

@ -1158,6 +1158,21 @@ The default value of the
:attr:`RedirectView.permanent <django.views.generic.base.RedirectView.permanent>`
attribute will change from ``True`` to ``False`` in Django 1.9.
Using ``AuthenticationMiddleware`` without ``SessionAuthenticationMiddleware``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:class:`django.contrib.auth.middleware.SessionAuthenticationMiddleware` was
added in Django 1.7. In Django 1.7.2, its functionality was moved to
``auth.get_user()`` and, for backwards compatibility, enabled only if
``'django.contrib.auth.middleware.SessionAuthenticationMiddleware'`` appears in
:setting:`MIDDLEWARE_CLASSES`.
In Django 2.0, session verification will be enabled regardless of whether or not
``SessionAuthenticationMiddleware`` is enabled (at which point
``SessionAuthenticationMiddleware`` will have no significance). You can add it
to your ``MIDDLEWARE_CLASSES`` sometime before then to opt-in. Please read the
:ref:`upgrade considerations <session-invalidation-on-password-change>` first.
.. removed-features-1.8:
Features removed in 1.8

6
docs/topics/auth/default.txt
View File

@ -612,6 +612,12 @@ Session invalidation on password change
is enabled in :setting:`MIDDLEWARE_CLASSES`. It's included if
``settings.py`` was generated by :djadmin:`startproject` on Django ≥ 1.7.
Session verification will become mandatory in Django 2.0 regardless of
whether or not ``SessionAuthenticationMiddleware`` is enabled. If you have
a pre-1.7 project or one generated using a template that doesn't include
``SessionAuthenticationMiddleware``, consider enabling it before then after
reading the upgrade considerations below.
If your :setting:`AUTH_USER_MODEL` inherits from
:class:`~django.contrib.auth.models.AbstractBaseUser` or implements its own
:meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()`

45
tests/settings_tests/tests.py
View File

@ -10,6 +10,7 @@ from django.http import HttpRequest
from django.test import (SimpleTestCase, TransactionTestCase, TestCase,
modify_settings, override_settings, signals)
from django.utils import six
from django.utils.encoding import force_text
@modify_settings(ITEMS={
@ -464,3 +465,47 @@ class TestTupleSettings(unittest.TestCase):
finally:
del sys.modules['fake_settings_module']
delattr(settings_module, setting)
class TestSessionVerification(unittest.TestCase):
def setUp(self):
self.settings_module = ModuleType('fake_settings_module')
self.settings_module.SECRET_KEY = 'foo'
def tearDown(self):
if 'fake_settings_module' in sys.modules:
del sys.modules['fake_settings_module']
def test_session_verification_deprecation_no_verification(self):
self.settings_module.MIDDLEWARE_CLASSES = ['django.contrib.auth.middleware.AuthenticationMiddleware']
sys.modules['fake_settings_module'] = self.settings_module
with warnings.catch_warnings(record=True) as warn:
warnings.filterwarnings('always')
Settings('fake_settings_module')
self.assertEqual(
force_text(warn[0].message),
"Session verification will become mandatory in Django 2.0. "
"Please add 'django.contrib.auth.middleware.SessionAuthenticationMiddleware' "
"to your MIDDLEWARE_CLASSES setting when you are ready to opt-in after "
"reading the upgrade considerations in the 1.8 release notes.",
)
def test_session_verification_deprecation_both(self):
self.settings_module.MIDDLEWARE_CLASSES = [
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
]
sys.modules['fake_settings_module'] = self.settings_module
with warnings.catch_warnings(record=True) as warn:
warnings.filterwarnings('always')
Settings('fake_settings_module')
self.assertEqual(len(warn), 0)
def test_session_verification_deprecation_neither(self):
self.settings_module.MIDDLEWARE_CLASSES = []
sys.modules['fake_settings_module'] = self.settings_module
with warnings.catch_warnings(record=True) as warn:
warnings.filterwarnings('always')
Settings('fake_settings_module')
self.assertEqual(len(warn), 0)