Django 1.8 worsens the situation significantly:
{% if request.user.is_authenticated %}
does the right thing in a Django template but is a security vulnerability
in a Jinja2 template!
We could implement a property that returns an object:
- that is still callable, for backwards compatibility
- that evaluates correctly in a boolean context
Then we can consider deprecating the ability to call it.
class CallableBool:
def __init__(self, value):
self.value = value
def __bool__(self):
return self.value
def __call__(self):
return self.value
def __repr__(self):
return 'CallableBool(%r)' % self.value
CallableFalse = CallableBool(False)
CallableTrue = CallableBool(True)
It's a bit of a hack, but what Pythonista doesn't like using Python like
that? ;-)
--
Aymeric.
2015-12-02 15:39 GMT+01:00 Collin Anderson <cmawebs...@gmail.com>:
> On a somewhat unrelated note, is_authenticated really only makes sense
> when using request.user.is_authenticated. If you simply query a user from
> the database, is_authenticated will be True, which doesn't make any sense
> outside the context of a request. is_anonymous makes
> sense, is_authenticated doesn't work as well.
>
> On Wed, Dec 2, 2015 at 9:19 AM, Tim Graham <timogra...@gmail.com> wrote:
>
>> Someone created a ticket to raise this issue again. I found several
>> improper usages with GitHub code search. Is there any support for the idea
>> or would it be too much magic? My own opinion is that if you don't have
>> tests to catch the mistake in the first place, you're doing it wrong.
>>
>> https://code.djangoproject.com/ticket/25847
>>
>> On Thursday, April 10, 2008 at 1:06:37 PM UTC-4, David Cramer wrote:
>>>
>>> I wouldn't say insecure, but its a big gotcha. I've done it a quite a
>>> few times where I forgot the () :)
>>>
>>> On Apr 10, 5:53 am, Thomas Guettler <h...@tbz-pariv.de> wrote:
>>> > Hi,
>>> >
>>> > is_staff, is_active, is_superuser are attributes.
>>> >
>>> > is_anonymous, is_authenticated are methods.
>>> >
>>> > This is insecure if you are not careful while programming:
>>> >
>>> > if user.is_authenticated:
>>> > ....# Always true, since it is a method!
>>> >
>>> > It would be nice to find a solution. Here is what I thought:
>>> >
>>> > Make is_authenticated a property which returns a object
>>> > which evaluates to the proper boolean value. This object
>>> > has a method __call__ which returns the same value.
>>> >
>>> > This is backwards compatible.
>>> >
>>> > Thomas
>>> >
>>> > --
>>> > Thomas Guettler,http://www.thomas-guettler.de/
>>> > E-Mail: guettli (*) thomas-guettler + de
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-developers+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-developers@googlegroups.com.
>> Visit this group at http://groups.google.com/group/django-developers.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-developers/df236217-bc38-4ceb-8d1e-1da18268c81c%40googlegroups.com
>> <https://groups.google.com/d/msgid/django-developers/df236217-bc38-4ceb-8d1e-1da18268c81c%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAFO84S7AWu_0a4nPS%3DsZAxwy3MvXXYg%3DqBbwKDHwrhD-rVpWag%40mail.gmail.com
> <https://groups.google.com/d/msgid/django-developers/CAFO84S7AWu_0a4nPS%3DsZAxwy3MvXXYg%3DqBbwKDHwrhD-rVpWag%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/CANE-7mVc9%3Dy55CEK2Y6gCdz0Ye0zOXhiBiQAGDDY7pkQ7hxFpg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
