django modifying the request object

Question

I already have a django project and it logical like those:

url: URL?username=name&pwd=passwd

view:

def func(request):
   dic = request.GET

   username = dic.get("username")
   pwd = dic.get("pwd")

but now we need encrypt the data. Then, the request become this:

url: URL?crypt=XXXXXXXXXX (XXXXXXXX is encrypted str for "username=name&pwd=passwd")

so I need modify every view function. But now I want decrypt in django middleware to prevent from modifying every view function.

but when I modify request.GET, I recive error msg "This QueryDict instance is immutable". How can I modify it?

Answer 1

django.http.QueryDict objects that are assigned to request.GET and request.POST are immutable.

You can convert it to a mutable QueryDict instance by copying it:

request.GET = request.GET.copy()

Afterwards you'll be able to modify the QueryDict:

>>> from django.test.client import RequestFactory
>>> request = RequestFactory().get('/')
>>> request.GET
<QueryDict: {}>
>>> request.GET['foo'] = 'bar'
AttributeError: This QueryDict instance is immutable
>>> request.GET = request.GET.copy()
<QueryDict: {}>
>>> request.GET['foo'] = 'bar'
>>> request.GET
<QueryDict: {'foo': 'bar'}>

This has been purposefully designed so that none of the application components are allowed to edit the source request data, so even creating a immutable QueryDict again would break this design. I would still suggest that you follow the guidelines and assign additional request data directly on the request object in your middleware, despite the fact that it might cause you to edit your sources.

Answer 2

Remove immutability:

if not request.GET._mutable:
   request.GET._mutable = True

# now you can spoil it
request.GET['pwd'] = 'iloveyou'

Update

The Django sanctioned way is: request.GET.copy().

According to the docs:

The QueryDicts at request.POST and request.GET will be immutable when accessed in a normal request/response cycle. To get a mutable version you need to use QueryDict.copy().

Nothing guarantees future Django versions will use _mutable. This has more chances to change than the copy() method.

Answer 3

You shouldn't use GET to send the username and password, it's bad practice (since it shows the information on the URL bar, and might pose a security risk). Instead, use POST. Also, I'm guessing you're trying to authenticate your users, and it seems like you're doing too much work (creating a new middleware) to deal with something that is completely built in, to take the example from the docs:

from django.contrib.auth import authenticate, login

def my_view(request):
    username = request.POST['username']
    password = request.POST['password']
    user = authenticate(username=username, password=password)
    if user is not None:
        if user.is_active:
            login(request, user)
            # Redirect to a success page.
        else:
            # Return a 'disabled account' error message
    else:
        # Return an 'invalid login' error message.

I myself really like using the login_required decorator, very simple to use. Hope that helps