1
0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00

[1.10.x] Refs #26601 -- Improved backwards-compatibility of DEP 5 middleware exception handling.

Backport of 7d1b69dbe7 from master
This commit is contained in:
Carl Meyer
2016-06-14 00:41:58 -07:00
committed by Tim Graham
parent 34fbec3cb4
commit 69de988f92
11 changed files with 476 additions and 346 deletions

View File

@@ -40,14 +40,9 @@ A middleware can be written as a function that looks like this::
def middleware(request):
# Code to be executed for each request before
# the view is called.
# the view (and later middleware) are called.
try:
response = get_response(request)
except Exception as e:
# Code to handle an exception that wasn't caught
# further up the chain, if desired.
...
response = get_response(request)
# Code to be executed for each request/response after
# the view is called.
@@ -56,7 +51,7 @@ A middleware can be written as a function that looks like this::
return middleware
Or it can be written as a class with a ``__call__()`` method, like this::
Or it can be written as a class whose instances are callable, like this::
class SimpleMiddleware(object):
def __init__(self, get_response):
@@ -65,24 +60,15 @@ Or it can be written as a class with a ``__call__()`` method, like this::
def __call__(self, request):
# Code to be executed for each request before
# the view is called.
# the view (and later middleware) are called.
try:
response = self.get_response(request)
except Exception as e:
# Code to handle an exception that wasn't caught
# further up the chain, if desired.
...
response = self.get_response(request)
# Code to be executed for each request/response after
# the view is called.
return response
In both examples, the ``try``/``except`` isn't required if the middleware
doesn't need to handle any exceptions. If it is included, it should probably
catch something more specific than ``Exception``.
The ``get_response`` callable provided by Django might be the actual view (if
this is the last listed middleware) or it might be the next middleware in the
chain. The current middleware doesn't need to know or care what exactly it is,
@@ -92,30 +78,32 @@ The above is a slight simplification -- the ``get_response`` callable for the
last middleware in the chain won't be the actual view but rather a wrapper
method from the handler which takes care of applying :ref:`view middleware
<view-middleware>`, calling the view with appropriate URL arguments, and
applying :ref:`template-response <template-response-middleware>` middleware.
applying :ref:`template-response <template-response-middleware>` and
:ref:`exception <exception-middleware>` middleware.
Middleware can live anywhere on your Python path.
``__init__(get_response)``
--------------------------
Middleware classes must accept a ``get_response`` argument. You can also
Middleware factories must accept a ``get_response`` argument. You can also
initialize some global state for the middleware. Keep in mind a couple of
caveats:
* Django initializes your middleware with only the ``get_response`` argument,
so you can't define ``__init__()`` as requiring any other arguments.
* Unlike the ``__call__()`` method which get called once per request,
* Unlike the ``__call__()`` method which is called once per request,
``__init__()`` is called only *once*, when the Web server starts.
.. versionchanged:: 1.10
In older versions, ``__init__`` was not called until the Web server
In older versions, ``__init__()`` wasn't called until the Web server
responded to its first request.
If you want to allow your middleware to be used in Django 1.9 and earlier,
make ``get_response`` an optional argument (``get_response=None``).
In older versions, ``__init__()`` didn't accept any arguments. To allow
your middleware to be used in Django 1.9 and earlier, make ``get_response``
an optional argument (``get_response=None``).
Marking middleware as unused
----------------------------
@@ -133,9 +121,9 @@ To activate a middleware component, add it to the :setting:`MIDDLEWARE` list in
your Django settings.
In :setting:`MIDDLEWARE`, each middleware component is represented by a string:
the full Python path to the middleware's class or function name. For example,
here's the default value created by :djadmin:`django-admin startproject
<startproject>`::
the full Python path to the middleware factory's class or function name. For
example, here's the default value created by :djadmin:`django-admin
startproject <startproject>`::
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
@@ -159,25 +147,29 @@ authenticated user in the session; therefore, it must run after
:ref:`middleware-ordering` for some common hints about ordering of Django
middleware classes.
Hooks and application order
===========================
Middleware order and layering
=============================
During the request phase, before calling the view, Django applies middleware
in the order it's defined in :setting:`MIDDLEWARE`, top-down. You can think of
it like an onion: each middleware class is a "layer" that wraps the view.
During the request phase, before calling the view, Django applies middleware in
the order it's defined in :setting:`MIDDLEWARE`, top-down.
Middleware see only the changes made by middleware that run before it. A
middleware (and the view) is skipped entirely if a preceding middleware
short-circuits by returning a response without ever calling ``get_response``.
That response will only pass through the middleware that have already run.
You can think of it like an onion: each middleware class is a "layer" that
wraps the view, which is in the core of the onion. If the request passes
through all the layers of the onion (each one calls ``get_response`` to pass
the request in to the next layer), all the way to the view at the core, the
response will then pass through every layer (in reverse order) on the way back
out.
Similarly, a middleware that sees the request on the way in and doesn't return
a response is guaranteed that it will always see the response on the way back
out. If the middleware also wants to see any uncaught exception on the way out,
it can wrap its call to ``get_response()`` in a ``try``/``except``.
If one of the layers decides to short-circuit and return a response without
ever calling its ``get_response``, none of the layers of the onion inside that
layer (including the view) will see the request or the response. The response
will only return through the same layers that the request passed in through.
Besides the middleware pattern described earlier, you can add two other methods
to class-based middleware:
Other middleware hooks
======================
Besides the basic request/response middleware pattern described earlier, you
can add three other special methods to class-based middleware:
.. _view-middleware:
@@ -217,6 +209,28 @@ bother calling the appropriate view; it'll apply response middleware to that
:func:`~django.views.decorators.csrf.csrf_protect` decorators which allow
views to explicitly control at what point the CSRF validation should occur.
.. _exception-middleware:
``process_exception()``
-----------------------
.. method:: process_exception(request, exception)
``request`` is an :class:`~django.http.HttpRequest` object. ``exception`` is an
``Exception`` object raised by the view function.
Django calls ``process_exception()`` when a view raises an exception.
``process_exception()`` should return either ``None`` or an
:class:`~django.http.HttpResponse` object. If it returns an
:class:`~django.http.HttpResponse` object, the template response and response
middleware will be applied and the resulting response returned to the
browser. Otherwise, :ref:`default exception handling <error-views>` kicks in.
Again, middleware are run in reverse order during the response phase, which
includes ``process_exception``. If an exception middleware returns a response,
the ``process_exception`` methods of the middleware classes above that
middleware won't be called at all.
.. _template-response-middleware:
``process_template_response()``
@@ -268,31 +282,24 @@ must test for streaming responses and adjust their behavior accordingly::
for chunk in content:
yield alter_content(chunk)
.. _exception-middleware:
Exception handling
==================
Exception middleware
====================
Django automatically converts exceptions raised by the view or by middleware
into an appropriate HTTP response with an error status code. :ref:`Certain
exceptions <error-views>` are converted to 4xx status codes, while an unknown
exception is converted to a 500 status code.
A middleware that does some custom exception handling might looks like this::
class ExceptionMiddleware(object):
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
try:
response = self.get_response(request)
except Exception as e:
# Do something with the exception and possibly reraise it
# unless you wish to silence it.
...
return response
Middleware that wants to do something for all exception responses, an HTTP 404
for example, need to both catch the appropriate exception (e.g. ``Http404``)
and look for regular responses with the status code of interest. You can
subclass :class:`~django.middleware.exception.ExceptionMiddleware` if you want
to transform exceptions into the appropriate response.
This conversion takes place before and after each middleware (you can think of
it as the thin film in between each layer of the onion), so that every
middleware can always rely on getting some kind of HTTP response back from
calling its ``get_response`` callable. Middleware don't need to worry about
wrapping their call to ``get_response`` in a ``try/except`` and handling an
exception that might have been raised by a later middleware or the view. Even
if the very next middleware in the chain raises an
:class:`~django.http.Http404` exception, for example, your middleware won't see
that exception; instead it will get an :class:`~django.http.HttpResponse`
object with a :attr:`~django.http.HttpResponse.status_code` of 404.
.. _upgrading-middleware:
@@ -302,30 +309,57 @@ Upgrading pre-Django 1.10-style middleware
.. class:: django.utils.deprecation.MiddlewareMixin
:module:
Django provides ``django.utils.deprecation.MiddlewareMixin`` to ease providing
the existing built-in middleware in both new-style and old-style forms and to
ease similar conversions of third-party middleware.
Django provides ``django.utils.deprecation.MiddlewareMixin`` to ease creating
middleware classes that are compatible with both :setting:`MIDDLEWARE` and the
old :setting:`MIDDLEWARE_CLASSES`.
In most cases, this mixin will be sufficient to convert a middleware with
sufficient backwards-compatibility; the new short-circuiting semantics will be
harmless or even beneficial to the existing middleware.
The mixin provides an ``__init__()`` method that accepts an optional
``get_response`` argument and stores it in ``self.get_response``.
In a few cases, a middleware class may need more invasive changes to adjust to
the new semantics.
The ``__call__()`` method:
For example, in the current request-handling logic, the handler transforms any
exception that passes through all ``process_exception`` middleware uncaught
into a response with appropriate status code (e.g. 404, 403, 400, or 500), and
then passes that response through the full chain of ``process_response``
middleware.
#. Calls ``self.process_request(request)`` (if defined).
#. Calls ``self.get_response(request)`` to get the response from later
middleware and the view.
#. Calls ``self.process_response(request, response)`` (if defined).
#. Returns the response.
In new-style middleware, a given middleware only gets one shot at a given
response or uncaught exception "on the way out," and will see either a returned
response or an uncaught exception, but not both.
If used with :setting:`MIDDLEWARE_CLASSES`, the ``__call__()`` method will
never be used; Django calls ``process_request()`` and ``process_response()``
directly.
This means that certain middleware which want to do something with all 404
responses (for example, the ``RedirectFallbackMiddleware`` and
``FlatpageFallbackMiddleware`` in ``django.contrib.redirects`` and
``django.contrib.flatpages``) now need to watch out for both a 404 response
and an uncaught ``Http404`` exception. They do this by subclassing
:class:`~django.middleware.exception.ExceptionMiddleware`.
In most cases, inheriting from this mixin will be sufficient to make an
old-style middleware compatible with the new system with sufficient
backwards-compatibility. The new short-circuiting semantics will be harmless or
even beneficial to the existing middleware. In a few cases, a middleware class
may need some changes to adjust to the new semantics.
These are the behavioral differences between using :setting:`MIDDLEWARE` and
:setting:`MIDDLEWARE_CLASSES`:
1. Under :setting:`MIDDLEWARE_CLASSES`, every middleware will always have its
``process_response`` method called, even if an earlier middleware
short-circuited by returning a response from its ``process_request``
method. Under :setting:`MIDDLEWARE`, middleware behaves more like an onion:
the layers that a response goes through on the way out are the same layers
that saw the request on the way in. If a middleware short-circuits, only
that middleware and the ones before it in :setting:`MIDDLEWARE` will see the
response.
2. Under :setting:`MIDDLEWARE_CLASSES`, ``process_exception`` is applied to
exceptions raised from a middleware ``process_request`` method. Under
:setting:`MIDDLEWARE`, ``process_exception`` applies only to exceptions
raised from the view (or from the ``render`` method of a
:class:`~django.template.response.TemplateResponse`). Exceptions raised from
a middleware are converted to the appropriate HTTP response and then passed
to the next middleware.
3. Under :setting:`MIDDLEWARE_CLASSES`, if a ``process_response`` method raises
an exception, the ``process_response`` methods of all earlier middleware are
skipped and a ``500 Internal Server Error`` HTTP response is always
returned (even if the exception raised was e.g. an
:class:`~django.http.Http404`). Under :setting:`MIDDLEWARE`, an exception
raised from a middleware will immediately be converted to the appropriate
HTTP response, and then the next middleware in line will see that
response. Middleware are never skipped due to a middleware raising an
exception.