From a8b70aeffd41d082d4bd8f99c777f37b6a58da66 Mon Sep 17 00:00:00 2001 From: Anders Einar Hilden Date: Wed, 11 Dec 2024 18:59:57 +0100 Subject: [PATCH] Fixed #36002 -- Referred to request.Meta key in Persistent/RemoteUserMiddleware comments. Changed the docstrings and code comments to better reflect where the default value comes from (an environment variable, not request header). --- django/contrib/auth/middleware.py | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/django/contrib/auth/middleware.py b/django/contrib/auth/middleware.py index 85f58ec9a5..880563bc5b 100644 --- a/django/contrib/auth/middleware.py +++ b/django/contrib/auth/middleware.py @@ -95,13 +95,16 @@ class RemoteUserMiddleware: Middleware for utilizing web-server-provided authentication. If request.user is not authenticated, then this middleware attempts to - authenticate the username passed in the ``REMOTE_USER`` request header. + authenticate the username from the ``REMOTE_USER`` key in ``request.META``, + an environment variable commonly set by the webserver. + If authentication is successful, the user is automatically logged in to persist the user in the session. - The header used is configurable and defaults to ``REMOTE_USER``. Subclass - this class and change the ``header`` attribute if you need to use a - different header. + The ``request.META`` key is configurable and defaults to ``REMOTE_USER``. + Subclass this class and change the ``header`` attribute if you need to + use a different key from ``request.META``, for example a HTTP request + header. """ sync_capable = True @@ -116,9 +119,9 @@ class RemoteUserMiddleware: markcoroutinefunction(self) super().__init__() - # Name of request header to grab username from. This will be the key as - # used in the request.META dictionary, i.e. the normalization of headers to - # all uppercase and the addition of "HTTP_" prefix apply. + # Name of request.META key to grab username from. Note that for + # request headers, normalization to all uppercase and the addition + # of a "HTTP_" prefix apply. header = "REMOTE_USER" force_logout_if_no_header = True @@ -259,10 +262,10 @@ class PersistentRemoteUserMiddleware(RemoteUserMiddleware): Middleware for web-server provided authentication on logon pages. Like RemoteUserMiddleware but keeps the user authenticated even if - the header (``REMOTE_USER``) is not found in the request. Useful - for setups when the external authentication via ``REMOTE_USER`` - is only expected to happen on some "logon" URL and the rest of - the application wants to use Django's authentication mechanism. + the ``request.META`` key is not found in the request. Useful for + setups when the external authentication is only expected to happen + on some "logon" URL and the rest of the application wants to use + Django's authentication mechanism. """ force_logout_if_no_header = False