Opened 18 years ago
Last modified 18 years ago
#4015 closed
login and logout should update request.user — at Initial Version
Reported by: | James Bennett | Owned by: | Adrian Holovaty |
---|---|---|---|
Component: | Contrib apps | Version: | dev |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Currently, django.contrib.auth.login
and django.contrib.auth.logout
don't update request.user
, which means that things which happen after those functions are called (e.g., templates which include {% if user.is_authenticated %}
) will not see that the authentication status has changed.
This causes some counterintuitive behavior:
- If you use
django.contrib.auth.views.logout
and have it return a template directly, the template may "think" you're still logged in even though you aren't (becauserequest.user
is still aUser
object). Having it return a redirect instead shows the expected behavior, because it ends up generating a new request). - If you use forms which subclass
django.contrib.auth.forms.AuthenticationForm
(e.g., the form for posting registered comments), the form may think you're anonymous even after it's logged you in (becauserequest.user
is still anAnonymousUser
object). This is why, for example, entering a username and password when previewing a registered comment seems to do nothing (the form will still think those fields are required, because it doesn't know you've successfully logged in during that request).
Having login
and logout
update request.user
would clear this up.
Note:
See TracTickets
for help on using tickets.