Hi all, I have spent some weeks on Django in my spare time now.
In the docs and in most of the code (examples) I have seen, relying solely on request.user.is_authenticated seems to be the word. However, lately this once happened onto me: I logged a user out of my site and for testing purposes, attempted to browse to a page of my site that would provoke calling a view function protectd by the login_required decorator (for example, a user's own profile page). Normally this gives back a result as expected (redirection to login page) due to is_anonymous returning True and is_authenticated returning False. This one time, however, both returned True (I test this in the respective template), which got me a raised 404. While someone would not be able to read private data due to this (I am right about this, I hope!!), I still don't believe that it's a good idea for such a situation to be possible. Googling the observed effect, I found one other person having encountered it, and in his blog or something (I'm really sorry the linkage eludes me right now), he got a response to test for both in order to protect certain views/pages, i.e., test for is_authenticated only on top of (after) is_anonymous, which worked for said person. The one having given the answer explained that some browsers don't delete some cookies before the browser closes even though the user is not logged in any more. This also worked for me, but leaves me with either writing a custom login_required decorator or having to work this sequenced testing into every view to be protected. My real concern, though, is that I could not find anything else on this. On the one hand, I clearly remember seeing people writing their own login_required decorators while on the go while surfing for other Django stuff. I am not sure if the reason was that the vanilla decorator uses is_authenticated as its sole criterion. Do many of you use your own decorator to protect views? Do you do it for this very reason? On the other hand, if there really is this problem with relying only on is_authenticated, this would be a way more widespread issue known all over, and been fixed in SVN etc. etc. ... So mayhaps there is some session-related thing in settings.py that I overlooked that everyone is silently using at their sites? I just have a vanilla settings.py except for the additionally installed apps entries. I assume a lot of folks here know the "common practice" of this stuff that I have been missing. I read some current Django books and check current blogs and this group, but lack much of the real-life Django experience that lots of you people share. Thanks for your comments! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---