You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello there!
Currently it's allowed that an custom authentication class returns a tuple containing (None, None). This causes the authentication to be considered successful and sets request.user = None and this can cause errors that are hard to track where they came from.
I know that this wrongly implemented by the CustomAuthentication class, the user should've raised an AuthenticationFailed exception instead. But this allows the user to shoot itself on the foot.
Example of a bad implemented authentication class:
Hello there!
Currently it's allowed that an custom authentication class returns a tuple containing
(None, None)
. This causes the authentication to be considered successful and setsrequest.user = None
and this can cause errors that are hard to track where they came from.I know that this wrongly implemented by the
CustomAuthentication
class, the user should've raised anAuthenticationFailed
exception instead. But this allows the user to shoot itself on the foot.Example of a bad implemented authentication class:
Later if you have a permission check for example, you would see the following error:
It would be nice if rest framework disallowed this totally wrong implementation.
Checklist
The text was updated successfully, but these errors were encountered: