Add additional middleware checks for django.contrib.auth

[Jaap Roes]

The django.contrib.auth.checks module defines a ​check_middleware function. This function currently checks if LoginRequiredMiddleware is enabled, if so it checks if AuthenticationMiddleware is also enabled, and is placed before it.

This is nice, and something than happens at runtime for other middlewares in contrib.auth, for example:

​RemoteUserMiddleware raises a ImproperlyConfigured error if it's enabled but AuthenticationMiddleware isn't enabled, or is placed after it.

​AuthenticationMiddleware itself also raises a ImproperlyConfigured error if it's enabled but SessionMiddleware is not (or isn't executed before reaching it).

I can contribute a patch, unless there's any reason not to do this.

[Hisham Mahmood]

This ​discussion is related. Basically it wasn't added because there were no similar checks in LoginRequiredMixin and also to add no extra work on per request path.

[Jaap Roes]

Thanks, yes I agree with the reasoning. I'd like to see if it's possible to convert these other runtime checks to similar Django checks, so the behaviour is consistent.

[Tim Graham]

A disadvantage I see with the system check approach is that it makes it more difficult to use a custom middleware that sets request.user and doesn't inherit AuthenticationMiddleware. In that case, the system check error has to be silenced using SILENCED_SYSTEM_CHECKS.

[Jaap Roes]

I see that, but is that a common pattern? Even RemoteUserMiddleware, which sets request.user, requires AuthenticationMiddleware in front of it (that's partially what this ticket is about).