mirror of
				https://github.com/django/django.git
				synced 2025-10-25 14:46:09 +00:00 
			
		
		
		
	Fixed #23957 -- Started deprecation toward requiring session verification.
Thanks Carl Meyer for review.
This commit is contained in:
		| @@ -9,9 +9,11 @@ a list of all possible variables. | |||||||
| import importlib | import importlib | ||||||
| import os | import os | ||||||
| import time     # Needed for Windows | import time     # Needed for Windows | ||||||
|  | import warnings | ||||||
|  |  | ||||||
| from django.conf import global_settings | from django.conf import global_settings | ||||||
| from django.core.exceptions import ImproperlyConfigured | from django.core.exceptions import ImproperlyConfigured | ||||||
|  | from django.utils.deprecation import RemovedInDjango20Warning | ||||||
| from django.utils.functional import LazyObject, empty | from django.utils.functional import LazyObject, empty | ||||||
| from django.utils import six | from django.utils import six | ||||||
|  |  | ||||||
| @@ -110,6 +112,16 @@ class Settings(BaseSettings): | |||||||
|         if not self.SECRET_KEY: |         if not self.SECRET_KEY: | ||||||
|             raise ImproperlyConfigured("The SECRET_KEY setting must not be empty.") |             raise ImproperlyConfigured("The SECRET_KEY setting must not be empty.") | ||||||
|  |  | ||||||
|  |         if ('django.contrib.auth.middleware.AuthenticationMiddleware' in self.MIDDLEWARE_CLASSES and | ||||||
|  |                 'django.contrib.auth.middleware.SessionAuthenticationMiddleware' not in self.MIDDLEWARE_CLASSES): | ||||||
|  |             warnings.warn( | ||||||
|  |                 "Session verification will become mandatory in Django 2.0. " | ||||||
|  |                 "Please add 'django.contrib.auth.middleware.SessionAuthenticationMiddleware' " | ||||||
|  |                 "to your MIDDLEWARE_CLASSES setting when you are ready to opt-in after " | ||||||
|  |                 "reading the upgrade considerations in the 1.8 release notes.", | ||||||
|  |                 RemovedInDjango20Warning | ||||||
|  |             ) | ||||||
|  |  | ||||||
|         if hasattr(time, 'tzset') and self.TIME_ZONE: |         if hasattr(time, 'tzset') and self.TIME_ZONE: | ||||||
|             # When we can, attempt to validate the timezone. If we can't find |             # When we can, attempt to validate the timezone. If we can't find | ||||||
|             # this file, no check happens and it's harmless. |             # this file, no check happens and it's harmless. | ||||||
|   | |||||||
| @@ -95,6 +95,10 @@ details on these changes. | |||||||
|   * ``django.shortcuts.render()`` |   * ``django.shortcuts.render()`` | ||||||
|   * ``django.shortcuts.render_to_response()`` |   * ``django.shortcuts.render_to_response()`` | ||||||
|  |  | ||||||
|  | * Session verification will be enabled regardless of whether or not | ||||||
|  |   ``'django.contrib.auth.middleware.SessionAuthenticationMiddleware'`` is in | ||||||
|  |   ``MIDDLEWARE_CLASSES``. | ||||||
|  |  | ||||||
| .. _deprecation-removed-in-1.9: | .. _deprecation-removed-in-1.9: | ||||||
|  |  | ||||||
| 1.9 | 1.9 | ||||||
|   | |||||||
| @@ -1158,6 +1158,21 @@ The default value of the | |||||||
| :attr:`RedirectView.permanent <django.views.generic.base.RedirectView.permanent>` | :attr:`RedirectView.permanent <django.views.generic.base.RedirectView.permanent>` | ||||||
| attribute will change from ``True`` to ``False`` in Django 1.9. | attribute will change from ``True`` to ``False`` in Django 1.9. | ||||||
|  |  | ||||||
|  | Using ``AuthenticationMiddleware`` without ``SessionAuthenticationMiddleware`` | ||||||
|  | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||||||
|  |  | ||||||
|  | :class:`django.contrib.auth.middleware.SessionAuthenticationMiddleware` was | ||||||
|  | added in Django 1.7. In Django 1.7.2, its functionality was moved to | ||||||
|  | ``auth.get_user()`` and, for backwards compatibility, enabled only if | ||||||
|  | ``'django.contrib.auth.middleware.SessionAuthenticationMiddleware'`` appears in | ||||||
|  | :setting:`MIDDLEWARE_CLASSES`. | ||||||
|  |  | ||||||
|  | In Django 2.0, session verification will be enabled regardless of whether or not | ||||||
|  | ``SessionAuthenticationMiddleware`` is enabled (at which point | ||||||
|  | ``SessionAuthenticationMiddleware`` will have no significance). You can add it | ||||||
|  | to your ``MIDDLEWARE_CLASSES`` sometime before then to opt-in. Please read the | ||||||
|  | :ref:`upgrade considerations <session-invalidation-on-password-change>` first. | ||||||
|  |  | ||||||
| .. removed-features-1.8: | .. removed-features-1.8: | ||||||
|  |  | ||||||
| Features removed in 1.8 | Features removed in 1.8 | ||||||
|   | |||||||
| @@ -612,6 +612,12 @@ Session invalidation on password change | |||||||
|     is enabled in :setting:`MIDDLEWARE_CLASSES`. It's included if |     is enabled in :setting:`MIDDLEWARE_CLASSES`. It's included if | ||||||
|     ``settings.py`` was generated by :djadmin:`startproject` on Django ≥ 1.7. |     ``settings.py`` was generated by :djadmin:`startproject` on Django ≥ 1.7. | ||||||
|  |  | ||||||
|  |     Session verification will become mandatory in Django 2.0 regardless of | ||||||
|  |     whether or not ``SessionAuthenticationMiddleware`` is enabled. If you have | ||||||
|  |     a pre-1.7 project or one generated using a template that doesn't include | ||||||
|  |     ``SessionAuthenticationMiddleware``, consider enabling it before then after | ||||||
|  |     reading the upgrade considerations below. | ||||||
|  |  | ||||||
| If your :setting:`AUTH_USER_MODEL` inherits from | If your :setting:`AUTH_USER_MODEL` inherits from | ||||||
| :class:`~django.contrib.auth.models.AbstractBaseUser` or implements its own | :class:`~django.contrib.auth.models.AbstractBaseUser` or implements its own | ||||||
| :meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()` | :meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()` | ||||||
|   | |||||||
| @@ -10,6 +10,7 @@ from django.http import HttpRequest | |||||||
| from django.test import (SimpleTestCase, TransactionTestCase, TestCase, | from django.test import (SimpleTestCase, TransactionTestCase, TestCase, | ||||||
|     modify_settings, override_settings, signals) |     modify_settings, override_settings, signals) | ||||||
| from django.utils import six | from django.utils import six | ||||||
|  | from django.utils.encoding import force_text | ||||||
|  |  | ||||||
|  |  | ||||||
| @modify_settings(ITEMS={ | @modify_settings(ITEMS={ | ||||||
| @@ -464,3 +465,47 @@ class TestTupleSettings(unittest.TestCase): | |||||||
|             finally: |             finally: | ||||||
|                 del sys.modules['fake_settings_module'] |                 del sys.modules['fake_settings_module'] | ||||||
|                 delattr(settings_module, setting) |                 delattr(settings_module, setting) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class TestSessionVerification(unittest.TestCase): | ||||||
|  |  | ||||||
|  |     def setUp(self): | ||||||
|  |         self.settings_module = ModuleType('fake_settings_module') | ||||||
|  |         self.settings_module.SECRET_KEY = 'foo' | ||||||
|  |  | ||||||
|  |     def tearDown(self): | ||||||
|  |         if 'fake_settings_module' in sys.modules: | ||||||
|  |             del sys.modules['fake_settings_module'] | ||||||
|  |  | ||||||
|  |     def test_session_verification_deprecation_no_verification(self): | ||||||
|  |         self.settings_module.MIDDLEWARE_CLASSES = ['django.contrib.auth.middleware.AuthenticationMiddleware'] | ||||||
|  |         sys.modules['fake_settings_module'] = self.settings_module | ||||||
|  |         with warnings.catch_warnings(record=True) as warn: | ||||||
|  |             warnings.filterwarnings('always') | ||||||
|  |             Settings('fake_settings_module') | ||||||
|  |         self.assertEqual( | ||||||
|  |             force_text(warn[0].message), | ||||||
|  |             "Session verification will become mandatory in Django 2.0. " | ||||||
|  |             "Please add 'django.contrib.auth.middleware.SessionAuthenticationMiddleware' " | ||||||
|  |             "to your MIDDLEWARE_CLASSES setting when you are ready to opt-in after " | ||||||
|  |             "reading the upgrade considerations in the 1.8 release notes.", | ||||||
|  |         ) | ||||||
|  |  | ||||||
|  |     def test_session_verification_deprecation_both(self): | ||||||
|  |         self.settings_module.MIDDLEWARE_CLASSES = [ | ||||||
|  |             'django.contrib.auth.middleware.AuthenticationMiddleware', | ||||||
|  |             'django.contrib.auth.middleware.SessionAuthenticationMiddleware', | ||||||
|  |         ] | ||||||
|  |         sys.modules['fake_settings_module'] = self.settings_module | ||||||
|  |         with warnings.catch_warnings(record=True) as warn: | ||||||
|  |             warnings.filterwarnings('always') | ||||||
|  |             Settings('fake_settings_module') | ||||||
|  |         self.assertEqual(len(warn), 0) | ||||||
|  |  | ||||||
|  |     def test_session_verification_deprecation_neither(self): | ||||||
|  |         self.settings_module.MIDDLEWARE_CLASSES = [] | ||||||
|  |         sys.modules['fake_settings_module'] = self.settings_module | ||||||
|  |         with warnings.catch_warnings(record=True) as warn: | ||||||
|  |             warnings.filterwarnings('always') | ||||||
|  |             Settings('fake_settings_module') | ||||||
|  |         self.assertEqual(len(warn), 0) | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user