browserid_info should not set `email` if user did not log in with django-browserid

mozilla / django-browserid

Django application for adding BrowserID support.

Mozilla Public License 2.0

179 stars 80 forks source link

browserid_info should not set `email` if user did not log in with django-browserid #141

Closed callahad closed 11 years ago

callahad commented 11 years ago

GNU Mailman supports both Persona and traditional authentication. If the user logs in with traditional auth, the browserid_info block reports an email address, which flows into id.watch({loggedInUser: ...}).

Except Persona doesn't think any user should be logged in, so it immediately fires the onlogout callback. Oops!

Proposed remedy: Line 33 in helpers.py should only be set to non-null when the authentication backend is django_browserid.auth.BrowserIDBackend.

seagreen commented 11 years ago

I had the same issue when I tried to implement both my own email+password login and django-browserid on the same site.

As a quick fix you can add this around around each instance of {% browserid_js %} in your templates (assuming 'django.contrib.auth.backends.ModelBackend' is your only other auth backend):

{% if not 'django.contrib.auth.backends.ModelBackend' in request.session.values %}
  {% browserid_js %}
{% endif %}

Here's an example in practice.