Refs #35530 -- Removed request.user or auser() fallback in auth.login and auth.alogin.

Per deprecation timeline.
2025-09-18 06:59:12 +00:00 · 2025-09-05 14:06:36 -04:00 · 2025-09-05 14:06:36 -04:00 · 32e266dc5b
commit 32e266dc5b
parent a146fe2930
4 changed files with 15 additions and 134 deletions
--- a/django/contrib/auth/init.py
+++ b/django/contrib/auth/init.py
@ -1,13 +1,11 @@
 import inspect
 import re
-import warnings

 from django.apps import apps as django_apps
 from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured, PermissionDenied
 from django.middleware.csrf import rotate_token
 from django.utils.crypto import constant_time_compare
-from django.utils.deprecation import RemovedInDjango61Warning
 from django.utils.module_loading import import_string
 from django.views.decorators.debug import sensitive_variables

@ -156,20 +154,6 @@ def login(request, user, backend=None):
    have to reauthenticate on every request. Note that data set during
    the anonymous session is retained when the user logs in.
    """
-    # RemovedInDjango61Warning: When the deprecation ends, replace with:
-    # session_auth_hash = user.get_session_auth_hash()
-    session_auth_hash = ""
-    # RemovedInDjango61Warning.
-    if user is None:
-        user = request.user
-        warnings.warn(
-            "Fallback to request.user when user is None will be removed.",
-            RemovedInDjango61Warning,
-            stacklevel=2,
-        )
-
-    # RemovedInDjango61Warning.
-    if hasattr(user, "get_session_auth_hash"):
    session_auth_hash = user.get_session_auth_hash()

    if SESSION_KEY in request.session:
@ -199,19 +183,6 @@ def login(request, user, backend=None):

 async def alogin(request, user, backend=None):
    """See login()."""
-    # RemovedInDjango61Warning: When the deprecation ends, replace with:
-    # session_auth_hash = user.get_session_auth_hash()
-    session_auth_hash = ""
-    # RemovedInDjango61Warning.
-    if user is None:
-        warnings.warn(
-            "Fallback to request.auser() when user is None will be removed.",
-            RemovedInDjango61Warning,
-            stacklevel=2,
-        )
-        user = await request.auser()
-    # RemovedInDjango61Warning.
-    if hasattr(user, "get_session_auth_hash"):
    session_auth_hash = user.get_session_auth_hash()

    if await request.session.ahas_key(SESSION_KEY):
--- a/docs/releases/6.1.txt
+++ b/docs/releases/6.1.txt
@ -268,3 +268,7 @@ to remove usage of these features.

 * The ``all`` parameter for the ``django.contrib.staticfiles.finders.find()``
  function is removed in favor of the ``find_all`` parameter.
+
+* Fallbacks to ``request.user`` and ``request.auser()`` when ``user`` is
+  ``None`` in ``django.contrib.auth.login()`` and
+  ``django.contrib.auth.alogin()``, respectively, are removed.
--- a/tests/async/test_async_auth.py
+++ b/tests/async/test_async_auth.py
@ -8,7 +8,6 @@ from django.contrib.auth import (
 from django.contrib.auth.models import AnonymousUser, User
 from django.http import HttpRequest
 from django.test import TestCase, override_settings
-from django.utils.deprecation import RemovedInDjango61Warning


 class AsyncAuthTest(TestCase):
@ -61,68 +60,15 @@ class AsyncAuthTest(TestCase):
        self.assertIsInstance(user, User)
        self.assertEqual(user.username, second_user.username)

-    # RemovedInDjango61Warning: When the deprecation ends, replace with:
-    # async def test_alogin_without_user(self):
-    async def test_alogin_without_user_no_request_user(self):
+    async def test_alogin_without_user(self):
        request = HttpRequest()
        request.session = await self.client.asession()
-        # RemovedInDjango61Warning: When the deprecation ends, replace with:
-        # with self.assertRaisesMessage(
-        #     AttributeError,
-        #     "'NoneType' object has no attribute 'get_session_auth_hash'",
-        # ):
-        #     await alogin(request, None)
-        with (
-            self.assertRaisesMessage(
+        with self.assertRaisesMessage(
            AttributeError,
-                "'HttpRequest' object has no attribute 'auser'",
-            ),
-            self.assertWarnsMessage(
-                RemovedInDjango61Warning,
-                "Fallback to request.auser() when user is None will be removed.",
-            ),
+            "'NoneType' object has no attribute 'get_session_auth_hash'",
        ):
            await alogin(request, None)

-    # RemovedInDjango61Warning: When the deprecation ends, remove completely.
-    async def test_alogin_without_user_anonymous_request(self):
-        async def auser():
-            return AnonymousUser()
-
-        request = HttpRequest()
-        request.user = AnonymousUser()
-        request.auser = auser
-        request.session = await self.client.asession()
-        with (
-            self.assertRaisesMessage(
-                AttributeError,
-                "'AnonymousUser' object has no attribute '_meta'",
-            ),
-            self.assertWarnsMessage(
-                RemovedInDjango61Warning,
-                "Fallback to request.auser() when user is None will be removed.",
-            ),
-        ):
-            await alogin(request, None)
-
-    # RemovedInDjango61Warning: When the deprecation ends, remove completely.
-    async def test_alogin_without_user_authenticated_request(self):
-        async def auser():
-            return self.test_user
-
-        request = HttpRequest()
-        request.user = self.test_user
-        request.auser = auser
-        request.session = await self.client.asession()
-        with self.assertWarnsMessage(
-            RemovedInDjango61Warning,
-            "Fallback to request.auser() when user is None will be removed.",
-        ):
-            await alogin(request, None)
-        user = await aget_user(request)
-        self.assertIsInstance(user, User)
-        self.assertEqual(user.username, self.test_user.username)
-
    async def test_alogout(self):
        await self.client.alogin(username="testuser", password="testpw")
        request = HttpRequest()
--- a/tests/auth_tests/test_login.py
+++ b/tests/auth_tests/test_login.py
@ -1,8 +1,7 @@
 from django.contrib import auth
-from django.contrib.auth.models import AnonymousUser, User
+from django.contrib.auth.models import User
 from django.http import HttpRequest
 from django.test import TestCase
-from django.utils.deprecation import RemovedInDjango61Warning


 class TestLogin(TestCase):
@ -25,48 +24,9 @@ class TestLogin(TestCase):
        auth.login(self.request, self.user)
        self.assertEqual(self.request.session[auth.SESSION_KEY], str(self.user.pk))

-    # RemovedInDjango61Warning: When the deprecation ends, replace with:
-    # def test_without_user(self):
-    def test_without_user_no_request_user(self):
-        # RemovedInDjango61Warning: When the deprecation ends, replace with:
-        # with self.assertRaisesMessage(
-        #     AttributeError,
-        #     "'NoneType' object has no attribute 'get_session_auth_hash'",
-        # ):
-        #     auth.login(self.request, None)
-        with (
-            self.assertRaisesMessage(
+    def test_without_user(self):
+        with self.assertRaisesMessage(
            AttributeError,
-                "'HttpRequest' object has no attribute 'user'",
-            ),
-            self.assertWarnsMessage(
-                RemovedInDjango61Warning,
-                "Fallback to request.user when user is None will be removed.",
-            ),
+            "'NoneType' object has no attribute 'get_session_auth_hash'",
        ):
            auth.login(self.request, None)
-
-    # RemovedInDjango61Warning: When the deprecation ends, remove completely.
-    def test_without_user_anonymous_request(self):
-        self.request.user = AnonymousUser()
-        with (
-            self.assertRaisesMessage(
-                AttributeError,
-                "'AnonymousUser' object has no attribute '_meta'",
-            ),
-            self.assertWarnsMessage(
-                RemovedInDjango61Warning,
-                "Fallback to request.user when user is None will be removed.",
-            ),
-        ):
-            auth.login(self.request, None)
-
-    # RemovedInDjango61Warning: When the deprecation ends, remove completely.
-    def test_without_user_authenticated_request(self):
-        self.request.user = self.user
-        self.assertNotIn(auth.SESSION_KEY, self.request.session)
-
-        msg = "Fallback to request.user when user is None will be removed."
-        with self.assertWarnsMessage(RemovedInDjango61Warning, msg):
-            auth.login(self.request, None)
-        self.assertEqual(self.request.session[auth.SESSION_KEY], str(self.user.pk))