Skip to content

SHOW_TOOLBAR_CALLBACK change in django-debug-toolbar 1.8 breaks existing code and it is not documented #954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
glasslion opened this issue Jun 8, 2017 · 3 comments
Closed

SHOW_TOOLBAR_CALLBACK change in django-debug-toolbar 1.8 breaks existing code and it is not documented #954

glasslion opened this issue Jun 8, 2017 · 3 comments

Comments

@glasslion
Copy link

In django-debug-toolbar 1.7 and below, the SHOW_TOOLBAR_CALLBACK callback is used to check both whether a request to debug-toolbar views should be authorized and whether a request is ajax.

In django-debug-toolbar 1.8, the ajax check is moved into the middleware, and it raises a 404 if a request can not pass the SHOW_TOOLBAR_CALLBACK check.

So a callback written for django-debug-toolbar<=1.7 will broken debug-toolbar 1.8's ajax request. :-(

Debug-toolbar's own doc still indicates that the callback should check if the request is AJAX, it's confusing:

The default checks are that DEBUG must be set to True, the IP of the request must be in INTERNAL_IPS, and the request must not be an AJAX request.

Because those 404s do not have explicit error messages, it is even harder to find the root cause.
@glasslion glasslion mentioned this issue Jun 8, 2017
Closed
@matthiask
Copy link
Member

Cc @jdufresne you might want to take a look at this? Does the PR make sense to you?

@awbacker
Copy link

awbacker commented Jun 29, 2017
edited
Loading

In my case I don't want to do the internal_ips check since we work in ways where thats really not possible. I had overridden the callback to check debug + !is_ajax(), and that was broken now (not sure why). This changed fixed it for me:

        def show_toolbar_handler(request):
-            return settings.DEBUG and not request.is_ajax()
+            return settings.DEBUG

As for changes to message, I would stick with the 404 from the resource, however... The calling panel obviously can render html, so it could:

  • detect that you are using a custom callback and ask you to check that
  • say 404 but give a list of possible reasons

Just a thought. This was quite frustrating, as @glasslion says. Since there is nothing that indicates the possible causes of the error and if you copy the failing url into your browser directly it works! So somehow the

@jdufresne
Copy link
Contributor

and that was broken now (not sure why)

The behavior changed so that SHOW_TOOLBAR_CALLBACK could be reused to guard against unauthorized access of panel views that are requested with AJAX. So the AJAX check is not always applicable. The details of this are outline in PR #926.

It was my mistake not documenting this breaking change, but the net effect is that panel views now check access is allowed to avoid leaking private data, which I think should remain.

I think modifying the documentation to alert users to the breaking changes is the best way to handle it without reintroducing unauthorized access of panel views.

@jdufresne jdufresne mentioned this issue Jun 29, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@matthiask @awbacker @jdufresne @glasslion