temp: remove false positives on safe sessions middleware (#27105)

* temp: remove false positives on safe sessions middleware This is a temporary fix to deal with false positives in the system due to the masquerading feature. Long term we may not want to rely on knowing about how masquerding works in the safe sessions middleware and instead manage masquerding of the requset user in some other way. Co-authored-by: Robert Raposa <rraposa@edx.org>
2021-03-22 14:44:52 -04:00
parent 4c5d56ef06
commit c67c401f89
1 changed files with 4 additions and 0 deletions
--- a/openedx/core/djangoapps/safe_sessions/middleware.py
+++ b/openedx/core/djangoapps/safe_sessions/middleware.py
@@ -368,6 +368,10 @@ class SafeSessionMiddleware(SessionMiddleware, MiddlewareMixin):
        given userid_in_session.
        """
        if hasattr(request, 'safe_cookie_verified_user_id'):
+            if hasattr(request.user, 'real_user'):
+                # If a view overrode the request.user with a masqueraded user, this will
+                #   revert/clean-up that change during response processing.
+                request.user = request.user.real_user
            if request.safe_cookie_verified_user_id != request.user.id:
                # The user at response time is expected to be None when the user
                # is logging out. To prevent extra noise in the logs,