> On Jan 8, 2016, at 11:35 AM, Aymeric Augustin > <aymeric.augus...@polytechnique.org> wrote: > > +1 > > Great work. > > The only (and minor) concern I have is about allowing function-based > middleware factories to return None. > > In the spirit of “there should be only one way to do it”, I would require > raising MiddlewareNotUsed explicitly to disable a middleware. A middleware > factory that returns None would cause an ImproperlyConfigured exception. > Otherwise middleware could be skipped by mistake, if the developer forgets to > return the middleware from the factory. This is especially a concern for > production-only middleware that developers can’t run locally. > > It’s easy to imagine scenarios where this would escalate into a security > issue. For instance, consider a middleware that hooks into a centralized > corporate authentication system and rejects unauthorized users. It’s common > not to have a testing version of that kind of infrastructure and for > developers not to have keys for the production version. Add an incomplete > testing strategy that only check that authorized users have access…
I definitely agree with this critique. I regularly forget to return the wrapper function when writing decorators, and this seems likely to have the same issue. Having it warn me early and loud that I screwed up would be very helpful. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/B96A169F-9B6A-4E3A-A9B1-763C47A6FC1C%40ryanhiebert.com. For more options, visit https://groups.google.com/d/optout.
