This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Add dict instance check before accessing it #15944
Closed
rajuniit
wants to merge
14
commits into
matrix-org:develop
from
rajuniit:bugfix/issue-15871/500-error-uia-request
Closed
Changes from 13 commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
2d99953
fix: add dict instance check before accessing it
dc16c05
Merge branch 'develop' into bugfix/issue-15871/500-error-uia-request
rajuniit 0560a7b
fix: fixing a typo of a method name isinstance my last commit
6fc5e78
fix: Added changelog file for this fix
fe888d2
Added . at the end of line in changelog file
246d6d5
Merge branch 'develop' into bugfix/issue-15871/500-error-uia-request
rajuniit 9f0894f
Merge branch 'develop' into bugfix/issue-15871/500-error-uia-request
rajuniit 3127227
Throwing error if client data is not dict
ec1c23a
Merge branch 'develop' into bugfix/issue-15871/500-error-uia-request
rajuniit 5b19acb
Merge branch 'develop' into bugfix/issue-15871/500-error-uia-request
rajuniit ad20c6c
Merge branch 'develop' into bugfix/issue-15871/500-error-uia-request
rajuniit 2f43ac7
fix code format style
2a2eeb6
Merge branch 'develop' into bugfix/issue-15871/500-error-uia-request
rajuniit 349bd24
Merge branch 'develop' into bugfix/issue-15871/500-error-uia-request
rajuniit File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Add dic instance check before accessing auth session. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a chance to look deeper at this;
check_ui_authhas 3 callers:validate_user_via_ui_auth, this has a handful of callers.PasswordRestServlet.on_POSTRegisterRestServlet.on_POSTSome of these properly validate that
authisNoneor a dictionary. Others don't have validation (see #13147). I'm wondering if we should do validation up front instead of at this stage.@DMRobertson It looks like you started adding the UI Auth validation of REST endpoints. Did you have a plan here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't have a specific plan, I'm afraid. I vaguely remember UI auth being confusing when I looked it it, but that was about a year ago.
My general plan was to do as much validation as possible in the rest layer, and pass a parsed Pydantic model instance down to the handlers. The two can be done separately, which makes it easier to validate one endpoint at a time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is an vaguely open question about how we should be using Pydantic going forward. It has just made a 2.x release with a strict mode built-in (no more check_pydantic_models.py) and performance improvements. There are some breaking changes though, plus some of our packagers are presumably going to be shipping Pydantic 1.x for some time. #15979 has some more detailed discussion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @clokep @DMRobertson, was some decision made on Pydantic? What should we do here for now?
If this function is called from every rest endpoint at the beginning should we keep it here, or move it upfront to rest layers which are using this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@prajjawal05 I think adding the validation would be a good step forward. I don't agree there's an open question. Today we're using pydantic 1.x and should not block good work because we might one-day update to pydantic 2.x.