From 1bf4646f9133f26547a0dccf2f8a4526d85f2ab3 Mon Sep 17 00:00:00 2001 From: Abeer Upadhyay Date: Sun, 25 Mar 2018 13:39:32 +0530 Subject: [PATCH] Fixed #29258 -- Added type checking for login()'s backend argument. --- AUTHORS | 1 + django/contrib/auth/__init__.py | 3 +++ tests/auth_tests/test_auth_backends.py | 9 +++++++++ 3 files changed, 13 insertions(+) diff --git a/AUTHORS b/AUTHORS index e62c0794133..bfba0c05230 100644 --- a/AUTHORS +++ b/AUTHORS @@ -8,6 +8,7 @@ answer newbie questions, and generally made Django that much better: Aaron Cannon Aaron Swartz Aaron T. Myers + Abeer Upadhyay Abhishek Gautam Adam BogdaƂ Adam Johnson diff --git a/django/contrib/auth/__init__.py b/django/contrib/auth/__init__.py index 590f85442c9..6aa900fbe4a 100644 --- a/django/contrib/auth/__init__.py +++ b/django/contrib/auth/__init__.py @@ -119,6 +119,9 @@ def login(request, user, backend=None): 'therefore must provide the `backend` argument or set the ' '`backend` attribute on the user.' ) + else: + if not isinstance(backend, str): + raise TypeError('backend must be a dotted import path string (got %r).' % backend) request.session[SESSION_KEY] = user._meta.pk.value_to_string(user) request.session[BACKEND_SESSION_KEY] = backend diff --git a/tests/auth_tests/test_auth_backends.py b/tests/auth_tests/test_auth_backends.py index 1a1950e9897..25a910cdf13 100644 --- a/tests/auth_tests/test_auth_backends.py +++ b/tests/auth_tests/test_auth_backends.py @@ -695,6 +695,15 @@ class SelectingBackendTests(TestCase): with self.assertRaisesMessage(ValueError, expected_message): self.client._login(user) + def test_non_string_backend(self): + user = User.objects.create_user(self.username, 'email', self.password) + expected_message = ( + 'backend must be a dotted import path string (got ' + ').' + ) + with self.assertRaisesMessage(TypeError, expected_message): + self.client._login(user, backend=ModelBackend) + @override_settings(AUTHENTICATION_BACKENDS=[backend, other_backend]) def test_backend_path_login_with_explicit_backends(self): user = User.objects.create_user(self.username, 'email', self.password)