feat: replace custom middleware with Django's LoginRequiredMiddleware #16956
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Replace Weblate's custom RequireLoginMiddleware with Django 5.1's built-in LoginRequiredMiddleware to simplify authentication handling. - Remove weblate.accounts.middleware.RequireLoginMiddleware class - Use django.contrib.auth.middleware.LoginRequiredMiddleware when REQUIRE_LOGIN=True - Add @login_not_required decorator to git_export view for HTTP Basic Auth - Remove obsolete LOGIN_REQUIRED_URLS and LOGIN_REQUIRED_URLS_EXCEPTIONS settings - Update tests to verify Django middleware behavior - Deprecate Docker environment variables for URL exceptions All public views already use @login_not_required decorator as of Django 5.1. Closes WeblateOrg#16934
for more information, see https://pre-commit.ci
❌ 1 Tests Failed:
View the top 1 failed test(s) by shortest run time
To view more test analytics, go to the Test Analytics Dashboard |
nijel
reviewed
Nov 18, 2025
Member
nijel
left a comment
nijel
left a comment
There was a problem hiding this comment.
Looks good once the ruff and mypy errors are fixed.
Comment on lines
23
to
24
| def public_view(self, request) -> str: | ||
| """A public view marked with @login_not_required decorator.""" |
Member
There was a problem hiding this comment.
Suggested change
| def public_view(self, request) -> str: | |
| """A public view marked with @login_not_required decorator.""" | |
| def public_view(self, request: HttpRequest) -> str: | |
| """View not requiring login.""" |
Comment on lines
27
to
28
| def protected_view(self, request) -> str: | ||
| """A protected view without the @login_not_required decorator.""" |
Member
There was a problem hiding this comment.
Suggested change
| def protected_view(self, request) -> str: | |
| """A protected view without the @login_not_required decorator.""" | |
| def protected_view(self, request: HttpRequest) -> str: | |
| """View requiring login.""" |
Member
|
Did you actually test running with the middleware?
|
- Fix docstrings to use imperative mood (D401) - Add HttpRequest type hints to test methods - Add auth.E013 to SILENCED_SYSTEM_CHECKS for custom auth middleware - Add @login_not_required decorator to WeblateLoginView and SecondFactorLoginView to prevent redirect loops These changes fix the ruff linting errors and resolve the login redirect loop issue identified during testing.
for more information, see https://pre-commit.ci
Member
|
The remaining bit is /admin/login/ which should also work without requiring login (it always allows local login even if it is disabled for user authentication). |
Add @login_not_required decorator to WeblateAdminSite.login method to ensure /admin/login/ is accessible even when REQUIRE_LOGIN=True. This allows local admin login to work as intended, supporting the Django admin's authentication flow.
nijel
reviewed
Nov 24, 2025
Co-authored-by: Michal Čihař <[email protected]>
nijel
reviewed
Nov 25, 2025
nijel
reviewed
Nov 25, 2025
Removed documentation for URL exceptions related to authentication.
Updated documentation to reflect changes in version 5.15 regarding the reliance on Django middleware.
nijel
reviewed
Nov 25, 2025
for more information, see https://pre-commit.ci
Member
|
Merged, thanks for your contribution! I had to do some documentation adjustments before. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Replace custom middleware with Django's LoginRequiredMiddleware
Description
Replace Weblate's custom
RequireLoginMiddlewarewith Django 5.1's built-inLoginRequiredMiddlewareto simplify authentication handling and reduce maintenance burden.Changes
weblate.accounts.middleware.RequireLoginMiddlewareclass (~75 lines)django.contrib.auth.middleware.LoginRequiredMiddlewarewhenREQUIRE_LOGIN=True@login_not_requireddecorator togit_exportview for HTTP Basic Auth compatibilityLOGIN_REQUIRED_URLSandLOGIN_REQUIRED_URLS_EXCEPTIONSsettingsweblate.accounts.tests.test_middlewareto verify Django middleware behaviorWEBLATE_LOGIN_REQUIRED_URLS_EXCEPTIONS,WEBLATE_ADD_LOGIN_REQUIRED_URLS_EXCEPTIONS, andWEBLATE_REMOVE_LOGIN_REQUIRED_URLS_EXCEPTIONSdocs/changes.rstwith compatibility notesImplementation Details
All public views throughout the codebase already use the
@login_not_requireddecorator (introduced in Django 5.1), making this migration straightforward. The middleware is conditionally added only whenREQUIRE_LOGIN=True, maintaining backward compatibility.The Git exporter view required special attention as it implements HTTP Basic Authentication independently. It now uses
@login_not_requiredto bypass the login requirement while maintaining its own authentication logic.Testing
LoginRequiredMiddlewarebehavior/healthz/,/api/,/widgets/, etc.)REQUIRE_LOGIN=TrueDocumentation
Closes #16934