fix sudo for django auth?

hmpf · hmpf · commit 56d121f993a2 · 2025-10-23T09:54:45.000+02:00
diff --git a/python/nav/web/auth/middleware.py b/python/nav/web/auth/middleware.py
@@ -31,9 +31,10 @@
     ensure_account,
     authorization_not_required,
     get_account,
+    set_account,
     get_user,
 )
-from nav.web.auth.sudo import get_sudoer
+from nav.web.auth.sudo import get_sudoer, set_sudo_operator
 from nav.web.utils import is_ajax
 
 
@@ -78,9 +79,7 @@ def process_request(self, request: HttpRequest) -> None:
                 ensure_account(request)
 
         if sudo_operator is not None:
-            # XXX: sudo: Account.sudo_operator should be set by function!
-            request.account.sudo_operator = sudo_operator
-            request.user.sudo_operator = sudo_operator
+            set_sudo_operator(request, sudo_operator)
 
         _logger.debug(
             'AuthenticationMiddleware EXIT (session: %s, account: %s) from "%s"',
@@ -133,10 +132,10 @@ def process_request(self, request):
             )
 
         user = get_user(request)  # NOT lazy!
-        request.user = user
-        request.account = user  # remove this eventually
+        set_account(request, user, cycle_session_id=False)
 
         # NAV-specific sudo method
+        # XXX: sudo
         sudo_operator = get_sudoer(request)  # Account or None
         if sudo_operator:
             logged_in = sudo_operator or user
@@ -146,5 +145,4 @@ def process_request(self, request):
                 user.login,
                 request.get_full_path(),
             )
-            request.account.sudo_operator = sudo_operator
-            request.user.sudo_operator = sudo_operator
+            set_sudo_operator(request, sudo_operator)
diff --git a/python/nav/web/auth/sudo.py b/python/nav/web/auth/sudo.py
@@ -43,7 +43,7 @@ def sudo(request: HttpRequest, other_user: Account) -> None:
     if not account.is_admin():
         # Check if sudoer is acctually admin
         raise SudoNotAdminError()
-    original_user = request.account
+    original_user = get_account(request)
     request.session[SUDOER_ID_VAR] = original_user.id
     set_account(request, other_user)
     _logger.info('Sudo: "%s" acting as "%s"', original_user, other_user)
@@ -95,6 +95,11 @@ def get_sudoer(request: HttpRequest) -> Optional[Account]:
         return Account.objects.get(id=request.session[SUDOER_ID_VAR])
 
 
+def set_sudo_operator(request, sudo_operator):
+    request.account.sudo_operator = sudo_operator
+    request.user.sudo_operator = sudo_operator
+
+
 class SudoRecursionError(Exception):
     msg = "Already posing as another user"
 
