Feature/ogc 3157 current user none crash#2471
Conversation
…er() Adds OrgRequest.get_current_user() which captures a Sentry warning and raises HTTPForbidden when current_user is None despite a valid Redis session. Replaces all bare asserts and inline None checks across feriennet, org, town6 and translator_directory. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Tests that get_current_user() returns the user when present, and raises HTTPForbidden while sending a Sentry warning when current_user is None. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR aims to prevent crashes when request.current_user is unexpectedly None by introducing a safer accessor on OrgRequest and replacing a number of assert request.current_user is not None call sites with either request.get_current_user() or guard clauses.
Changes:
- Added
OrgRequest.get_current_user()which raisesHTTPForbiddenand attempts to emit a Sentry warning whencurrent_useris unexpectedly missing. - Replaced multiple
assert request.current_user is not Noneusages withrequest.get_current_user()across org/feriennet/translator_directory views and helpers. - Added unit tests for the new
get_current_user()behavior.
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/onegov/org/test_request.py | Adds tests for OrgRequest.get_current_user() success and failure behavior. |
| src/onegov/org/request.py | Introduces get_current_user() and adds Sentry logging + HTTPForbidden on missing user. |
| src/onegov/org/custom.py | Avoids crashing in global tools ticket section when current_user is None. |
| src/onegov/org/utils.py | Switches second-factor lookup to use get_current_user() in can_change_username. |
| src/onegov/org/views/ticket.py | Uses get_current_user() when building “My” ticket filter. |
| src/onegov/org/views/resource.py | Uses get_current_user() when closing reservation tickets. |
| src/onegov/org/views/form_registration_window.py | Uses get_current_user() when closing tickets during submission cancellation. |
| src/onegov/org/views/form_definition.py | Uses get_current_user() when closing tickets related to submissions. |
| src/onegov/translator_directory/views/time_report.py | Uses get_current_user() when accepting time reports and closing tickets. |
| src/onegov/translator_directory/generate_docx.py | Uses get_current_user() to derive signature lookup criteria. |
| src/onegov/translator_directory/custom.py | Adds guard to avoid current_user-None crash in tickets tools. |
| src/onegov/town6/custom.py | Adds guard to avoid current_user-None crash in chat staff tools. |
| src/onegov/feriennet/views/occasion.py | Uses get_current_user() when recording TOS acceptance. |
| src/onegov/feriennet/views/invoice.py | Uses get_current_user() for invoice/donation flows dependent on the logged-in user. |
| src/onegov/feriennet/views/booking.py | Uses get_current_user() for “my bookings” when not admin. |
| src/onegov/feriennet/forms/attendee.py | Uses get_current_user() for TOS field handling based on user data. |
| src/onegov/feriennet/custom.py | Adds guard to avoid current_user-None crash in personal tools. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report❌ Patch coverage is
Additional details and impacted files
Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
Embed the username directly in the message string instead of using the non-existent extras= parameter. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…up fails Anonymous requests should raise HTTPForbidden silently; the warning is only meaningful when a valid session identity exists but current_user is unexpectedly None. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ogin links Replace early return guard with an inline condition so only the tickets block is skipped when current_user is None, not the rest of the generator. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Rename get_current_user() result to current_user to distinguish the requester from the user argument being inspected. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@Daverball Is this a good approach to prevent assertion errors at runtime but try to identify the root cause of |
…user NO_IDENTITY is not None, so the previous guard would trigger a spurious Sentry warning for unauthenticated requests. Use is_logged_in instead, which correctly checks identity is not NO_IDENTITY. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
MagicMock auto-creates truthy attributes, so setting identity=None had no effect on the is_logged_in check. Explicitly set is_logged_in=True/False to reflect the actual condition the code under test checks. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replacing the silent early return with get_current_user() ensures a stale-session case (is_logged_in True but current_user None) is reported to Sentry and handled consistently with the rest of the codebase. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…sions Same fix as town6: replace the silent early return with get_current_user() so a stale-session case is reported to Sentry and handled consistently. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace the silent current_user is not None guard with get_current_user() so stale-session inconsistencies are reported to Sentry consistently. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The method raises HTTPForbidden for any None current_user, not just the stale-session case. Clarify that anonymous requests are also forbidden, and that Sentry is only notified for the logged-in-but-missing-user case. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ning current_username is an email address (PII) and was sent unconditionally, bypassing the should_send_default_pii() gate used elsewhere in the Sentry integration. Switch to identity.uid which is the non-PII Sentry user ID already attached to every event via the event processor. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Asserts can be optimised away with -O and split(' ') would crash on
names with more than one space. Use an explicit guard and split(' ', 1)
with a length check instead, returning None for missing or malformed names.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace the silent current_user None guard in translator_directory/custom.py with get_current_user(), consistent with the other nav fixes. Also add get_current_user() to AgencyApp's DummyRequest test fixture. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
strip() removes leading/trailing whitespace, split(None, 1) handles multiple spaces between first and last name, and the non-empty check on both parts prevents overly broad LIKE '%%' queries. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
The root cause of this exception is most likely that changing a translator's e-mail address does not log them out. So they're still logged in with their old e-mail, which no longer has an associated account, so So I don't think we should make any large sweeping changes to make the application not crash, when this happens. Since after all it is a real problem if we didn't log that user out. It might be worth adding a Although we probably could change |
Is that related to LDAP? |
It shouldn't be an issue during external login, although I'm not sure what happens if they have multiple sessions and their LDAP username gets changed during external login, I'm not sure if we remembered to terminate all the other sessions, so only the one with the new name remains. But with translators it's also possible for admins to change the name of the translator, which gets mirrored back to the user if I'm not mistaken and we could be forgetting to log the user out there as well. There's also the LDAP synchronization cronjob, although I'm not sure if we have that for translator directory or if it's only running for FSI. Either way there are quite a few ways the username can change, and we probably didn't remember to log out the active session for some of the ways. That's why adding a |
Org: Replace
assert current_user is not Nonewith a Sentry warning andHTTPForbiddenAdds
OrgRequest.get_current_user()which captures a Sentry warning and raisesHTTPForbiddenwhencurrent_user is Nonedespite a valid session. Replaces all bare asserts across feriennet, org, town6 and translator_directory.Sentry issue: https://seantis-gmbh.sentry.io/issues/7467148569/
TYPE: Feature
LINK: ogc-3157