Opened 18 years ago

Last modified 18 years ago

#4015 closed

login and logout should update request.user — at Initial Version

Reported by: James Bennett Owned by: Adrian Holovaty
Component: Contrib apps Version: dev
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, django.contrib.auth.login and django.contrib.auth.logout don't update request.user, which means that things which happen after those functions are called (e.g., templates which include {% if user.is_authenticated %}) will not see that the authentication status has changed.

This causes some counterintuitive behavior:

  • If you use django.contrib.auth.views.logout and have it return a template directly, the template may "think" you're still logged in even though you aren't (because request.user is still a User object). Having it return a redirect instead shows the expected behavior, because it ends up generating a new request).
  • If you use forms which subclass django.contrib.auth.forms.AuthenticationForm (e.g., the form for posting registered comments), the form may think you're anonymous even after it's logged you in (because request.user is still an AnonymousUser object). This is why, for example, entering a username and password when previewing a registered comment seems to do nothing (the form will still think those fields are required, because it doesn't know you've successfully logged in during that request).

Having login and logout update request.user would clear this up.

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top